Tải bản đầy đủ - 0trang
8 Uploading Files with Malicious Names
Figure 5-8. The status bar shows the full image location
First, create a test image file on your local computer. Make several copies of it with
various invalid or suspect characters in the name, such as single quotes, equals signs,
or parentheses. For example, in the Windows NTFS filesystem,
'onerror='alert('XSS')' a='.jpg is a valid filename. Microsoft Paint should suffice to
create this image, or you can copy and rename an existing image. Unix and Linux
filesystems may allow further special characters, such as pipe (|) and slashes.
Upload this file via your application’s form and complete whatever steps are necessary
to find where the file is displayed or downloaded. In the page where the file is displayed,
or the link to download it is listed, find the filename in the source code.
For an application where the file is downloaded, you will likely find a link to the file’s
location on the server. When the file is an image and is directly displayed in an application, you should find an image tag referring to the file. Ensure that the link or image
location does not simply echo back the exact same filename. Ideally, the URL will
contain an ID number rather than the actual filename. Alternatively, the special characters in the filename may be escaped via slashes or an encoding. Simply echoing back
the exact same filename may leave your application open to attack.
For example, the web-based mail application displayed in Figure 5-8 escapes filenames
There are a few key circumstances where a file upload may reveal a vulnerability. These
include operating system code injection, cross-site scripting, SQL injection, or abuse
of file processing. Code injection at the server level is not a typical application-level
security concern. Yet because files provide such a straightforward path to the server, it
is worth mentioning here.
Often, the server operating system can be identified via the response headers, as discussed in Recipe 3.6. On some Unix or Linux filesystems in particular, filenames may
5.8 Uploading Files with Malicious Names | 89
include special characters such as slashes, pipes, and quotes. A few unusual and potential dangerous filenames are shown in Example 5-5, using Mac OS X and the associated HFS filesystem. If the headers reveal the application framework or language
instead, you may try special characters for that language. When uploading a filename
including these special characters, if the application doesn’t automatically escape or
replace the special characters, your application may be at risk. Experiment with the
special characters—if you can get your application to crash or display incorrect behavior, it’s likely that further manipulation could fully exploit your server or
Example 5-5. A few filenames including special characters
" || cat /etc/passwd; "
' having 1=1
A trivial example for a Unix- or Linux-based server is the filename |ls -al. If uploaded
without escaping or renaming, a server script attempting to open the file might instead
return the contents of the directory (similar to the dir command in DOS). There are
far worse attacks, including some that delete or create files in the filesystem.
For those testing from an operating system that does not allow special characters in
filenames (such as Windows), remember that it’s possible to change the name of a file
as you are uploading it, even if you cannot save the file on disk with special characters.
See Recipe 5.1 for more details on using TamperData to change data sent to the server.
Cross-site-scripting. Even if code injection isn’t possible, if filenames are not escaped
properly, cross-site scripting is still a potential issue. Any filename needs to escape or
encode HTML special characters before being saved to disk. Preferably, the entire filename should be replaced by a unique identifier.
If a raw, unchanged filename is sent to the browser, the following HTML output can
injection, a major method of carrying out cross-site scripting attacks.
SQL injection. While code injection attacks the server or language running the application
and cross-site scripting targets the browser, SQL injection focuses on maliciously accessing the database. If the uploaded file is stored in a database, rather than as a file on
the server, SQL injection is the area you should test, rather than code injection.
The most common special character required for SQL injection is the single quote. Try
adding a single quote to a filename and see what happens as the file is saved to the
database. If your application returns an error, chances are it is vulnerable to SQL
90 | Chapter 5: Tampering with Input
The act of uploading and then processing files paves the way for other
security concerns beyond the name of the file. Any files uploaded in this
way are application input and should be tested as thoroughly as HTTP
driven input. Each file format will need to be tested according to the
expectations of that format, but we can present a brief summary of file
content related risks.Take care storing these files on your computer. You
could cause odd behavior with your antivirus software, freeze your
computer, or violate corporate policy. Be careful!
5.9 Uploading Large Files
If your web application allows users to upload files, there is one basic test that you must
apply—attempt to upload a large file beyond the limits of what your application usually
What constitutes “large” depends on your application, but the general rule of thumb
is: upload a file 100 times larger than normal usage. If your application is built to
accommodate files up to 5 megabytes, try one with 500 megabytes.
If you’re having trouble creating a file that large, modify the program in Example 5-2
to make a file much larger than a megabyte and use it. If you need binary data, you can
change rand(95) to be rand(255) and remove the line below that adds 32 to the result.
Once you have your sample largefile.txt, upload it to your application where the
This test is nothing more than an extreme example of boundary-value testing. A lack
of validation on file upload size may be caught by normal testing. An application that
doesn’t limit file upload size, on the other hand, will usually freeze completely—
requiring a restart of the web server. Typically there will be no error message or stack
trace when the server memory fills up—the system just gets progressively slower until
it no longer responds. This is an indirect denial of service, as the attack may be repeated
as soon as the server is back online.
You’re going to want to execute this test on a fast connection, preferably as close to the
actual server as possible. If you can run the web server on your desktop and upload a
file from your desktop, all the better. The point of this test is to ensure your server and
application properly reject large files—not to take a nap as you test your bandwidth.
5.9 Uploading Large Files | 91
5.10 Uploading Malicious XML Entity Files
XML is the de facto standard for web services and web-compatible data storage. The
parts of an application that process XML are important areas to test. While normal
testing should involve uploading and processing valid and malformed XML documents,
there are security precautions one should take with XML as well. This test attacks the
XML processing modules used to extract data for use in your application.
This specific attack is called the “billion laughs” attack because it creates a recursive
XML definition that generates one billion “Ha!” strings in memory (if your XML parser
is vulnerable). Identify a form or HTTP request within your application that accepts
an XML file upload. Attacking AJAX applications with the billion laughs is discussed
in Chapter 10.
You will need to create a file on your local computer containing the malicious XML.
Insert or upload XML into your application like what is shown in Example 5-6.
Example 5-6. Billion laughs XML data
For the sake of brevity, we removed a few lines from this XML document. The entire
document can also be generated programmatically via the program shown in Example 5-7.
Example 5-7. Generating the billion laughs attack
# number of entities is 2^30 if $entities == 30
$entities = 30;
$i = 1;
open OUT, ">BillionLaughs.txt" or die "cannot open BillionLaughs.txt";
print OUT "\n";
print OUT "
92 | Chapter 5: Tampering with Input