diff --git a/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types.md b/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types.md index af5914b..f5030b6 100644 --- a/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types.md +++ b/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types.md @@ -17,7 +17,7 @@ tags: WSTG Many applications' business processes allow for the upload and manipulation of data that is submitted via files. But the business process must check the files and only allow certain "approved" file types. Deciding what files are "approved" is determined by the business logic and is application/system specific. The risk is that by allowing users to upload files, attackers may submit an unexpected file type that could be executed and adversely impact the application or system through attacks that may deface the site, perform remote commands, browse the system files, browse the local resources, attack other servers, or exploit the local vulnerabilities, just to name a few. -Vulnerabilities related to the upload of unexpected file types is unique in that the upload should quickly reject a file if it does not have a specific extension. Additionally, this is different from uploading malicious files in that in most cases an incorrect file format may not by it self be inherently "malicious" but may be detrimental to the saved data. For example if an application accepts Windows Excel files, if a similar database file is uploaded it may be read but data extracted my be moved to incorrect locations. +Vulnerabilities related to the upload of unexpected file types is unique in that the upload should quickly reject a file if it does not have a specific extension. Additionally, this is different from uploading malicious files in that in most cases an incorrect file format may not by it self be inherently "malicious" but may be detrimental to the saved data. For example if an application accepts Windows Excel files, if a similar database file is uploaded it may be read but data extracted may be moved to incorrect locations. The application may be expecting only certain file types to be uploaded for processing, such as `.csv` or `.txt` files. The application may not validate the uploaded file by extension (for low assurance file validation) or content (high assurance file validation). This may result in unexpected system or database results within the application/system or give attackers additional methods to exploit the application/system. diff --git a/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index cee60be..24a4c8a 100644 --- a/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -81,10 +81,15 @@ If the filtering is performed on the server-side, then various techniques can be - Change the value of `Content-Type` as `image/jpeg` in HTTP request. - Change the extensions to a less common extension, such as `file.php5`, `file.shtml`, `file.asa`, `file.jsp`, `file.jspx`, `file.aspx`, `file.asp`, `file.phtml`, `file.cshtml` +- Use double extensions such as `file.jpg.php` or `file.png.php`. For this to work properly, you must first understand how the web server handles files with multiple extensions. For instance, in certain scenario, the web server may only check if `.jpg` or `.png` is part of the file's extension which may allow attackers to bypass file extension filter. +- Change the [file signature](https://en.wikipedia.org/wiki/List_of_file_signatures) or magic byte of the uploaded file. - Change the capitalisation of the extension, such as `file.PhP` or `file.AspX` - If the request includes multiple filenames, change them to different values. - Using special trailing characters such as spaces, dots or null characters such as `file.asp...`, `file.php;jpg`, `file.asp%00.jpg`, `1.jpg%00.php` - In badly configured versions of Nginx, uploading a file as `test.jpg/x.php` may allow it to be executed as `x.php`. +- Upload an `.htaccess` file with the following content: `AddType application/x-httpd-php .png`. This will cause the Apache server to execute `.png` images as if they were `.php` resources. + +**Note that in some situations, you may need to combine the different filter evasion techniques discussed above in order to successfully bypass server-side filters.** ### Malicious File Contents @@ -202,3 +207,4 @@ Fully protecting against malicious file upload can be complex, and the exact ste - [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) - [Implementing Secure File Upload](https://infosecauditor.wordpress.com/tag/malicious-file-upload/) - [Metasploit Generating Payloads](https://www.offensive-security.com/metasploit-unleashed/Generating_Payloads) +- [List of file signatures](https://en.wikipedia.org/wiki/List_of_file_signatures)