AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

MVC View Code Injection

The attacker can inject unauthorized server-side code by utilizing a remote code repository and run it on the target container which leads to information disclosure or total system ownage

Severity

Critical

Fix Cost

High

Trust Level

High

Rarely applications have the requirement of dynamically running user supplied server-side view code. In order to implement this requirement, programming language frameworks or third parties provide APIs for dynamic interpretation of strings as code.

Let the backend code is similar to the following snippet;

                            
using RazorEngine;
using RazorEngine.Templating; // For extension methods.

string template = "Hello @Model.Name, welcome to RazorEngine!";
var result = Engine.Razor.RunCompile(template, "key", null, new { Name = "World" });
                 
            

The above code executes a C# code as string provided by the user at the backend through input model parameter name. Here a malicious user can manage to include any string C# razor code that runs on the target container allowing the attacker to steal information or total system ownage.

There are other ways of dynamically executing server side code, however. For example in order to load Views from a data storage a virtual path provider is registered and utilized. This may be dangerous when the views are dynamically accepted from users and stored in the database.

                
HostingEnvironment.RegisterVirtualPathProvider
                
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!