AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Possible Insecure File Upload

The attacker can upload a code behind code file, such as asp, aspx or cshtml, onto the target application server and execute unauthorized commands on the target operating system through requests via web browser which in turn leads to information disclosure or total system ownage

Severity

Critical

Fix Cost

Medium

Trust Level

Low

In web applications, big unstructured data transfer is usually executed through file uploads. Profile pictures, pdf or office documents, various images are some of the artifacts that are uploaded to web application backends.

Programming frameworks provide decent file upload APIs to developers in order to ease the file transfer and process development.

Let the backend code is similar to the following snippet;

                            
[HttpPost]
public ActionResult Index(HttpPostedFileBase file) {

if (file.ContentLength > 0) {
var fName = Path.GetFileName(file.FileName);
var path = Path.Combine(Server.MapPath("~/uplds"), fName);
file.SaveAs(path);
}

return RedirectToAction("Index");
}
            
            

An attacker can upload any file type of his choosing without any positive restrictions (whitelisting). One of the most dangerous file types to upload in these situations are called web shells.

A web shell is a dynamic script that can be uploaded to a web/application server to enable remote controlling of the current machine. Attacker uploading a web shell on the target system can run operating system commands, access source codes and/or credentials, moreover, can pivot the target machine to move further onto internal hosts.

In web applications, big unstructured data transfer is usually executed through file uploads. Profile pictures, pdf or office documents, various images are some of the artifacts that are uploaded to web application backends.

Programming frameworks provide decent file upload APIs to developers in order to ease the file transfer and process development.

Let the backend code is similar to the following snippet;

            
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

Part filePart = request.getPart("file");
String fileName = getFilename(filePart);
boolean fileUploaded = false;

if(filePart != null && fileName != null){  
          	 
InputStream fileContent = filePart.getInputStream();
byte[] bytes = IOUtils.toByteArray(fileContent);
    
   
OutputStream out = new FileOutputStream(UploadPath + fileName);          	 
    
out.write(bytes);           	 
fileUploaded = true;
    
fileContent.close();
out.flush();
out.close();
}
            
        

An attacker can upload any file type of his choosing without any positive restrictions (whitelisting). One of the most dangerous file types to upload in these situations are called web shells.

A web shell is a dynamic script that can be uploaded to a web/application server to enable remote controlling of the current machine. Attacker uploading a web shell on the target system can run operating system commands, access source codes and/or credentials, moreover, can pivot the target machine to move further onto internal hosts.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!