[WEB SECURITY] Attack Technique: File Download Injection

Arian J. Evans arian.evans at anachronic.com
Mon Apr 7 23:38:17 EDT 2008

This is really nice, Jeff.

This is ultimately a well researched, very easy and effective use of HTTP
Control Character injection, which is what most of the world means when
they say "HTTP Response Splitting" -- including every automated test
I've seen for this.

This also points out that we should really revisit "HTTP Response Splitting"
and break it down into all the real & useful attack variants.

Amit's excellent paper is too complicated for the layman. Heck, it was
too complicated for me. (No jokes from the rest of the crowd)

"response splitting" is a far-fetched attack variant under most normal
conditions, but you can do a lot of things like you describe here. This
gets REALLY BAD when you start dealing with intermediary caching
proxies, or 3rd party Akamai-like providers that cache updated content
dynamically & host on their bandwidth (versus their customers' bandwidth).

I'm not talking theory. I've proved this IRL in the last year.

We started a paper on our research internally at WhiteHat, but never
completed it unfortunately due to people bandwidth. I'll ping folks
internally and see where we are at with this.

Your work is timely and very well written up.

We need a master attack node of > HTTP Protocol Manipulations

with subsets of

> HTTP Control Character injection

>> HTTP Header Injection, Download Injection, RS, etc etc

also, as an aside

>> HTTP Verb manipulations

This hasn't been well documented, and there's not much to
it, but you still find code that pulls data/strings arbitrarily
out of some generic session or request object, when the
validation or security routines are bound explicitly to a
specific HTTP verb or request construct (e.g. only validates
Poststring data on POST, and not Querystring params)

Yet the code parses that stuff out of the request or session
object after validation, leading to HTTP Control Character
injection, XSS, SQLi, etc etc.

That would add a few new attack vectors to your examples
below for sure.

Again, great work, thanks for documenting so well and
sharing it with us!


Arian Evans, software security stuff

reformed hacker turned animal rights activist to meet vapid chicks concerned
with those tasty animals

On Mon, Apr 7, 2008 at 12:22 PM, Jeff Williams <
jeff.williams at aspectsecurity.com> wrote:

> File Download Injection
> =======================
> Affects most web application platforms, including Java, .NET, PHP, Cold
> Fusion.
> This attack involves the use of header injection, particularly the
> Content-Disposition header, to subvert HTTP responses from trusted
> domains. Attackers can use this technique to inject a malicious file
> download with an arbitrary filename (.html, .exe, .swf, .mov, .msi,
> .vbs, etc...) and arbitrary file content. Since the attack subverts an
> existing HTTP request, both the URL and the downloaded file use a
> trusted domain.
> Some variants of the attack are surprisingly simple:
>   http://yourcompany.com/download?fn=attack.bat%0d%0a%0d%0awordpad
> When the response for this attack arrives at the victim's browser, the
> malicious file is named "attack.bat" and contains the command "wordpad"
> inside. The injected file is opened as if it was a legitimate download
> from the trusted domain. The attacker can inject any filename (.exe,
> .bat, .html, .pdf, .sh, etc...) with any file content, and the browser
> just opens it as it normally would - sometimes with a "run", "save",
> "cancel" dialog and sometimes not.
> Susceptible header injection vulnerabilities are frequently found in
> file download pages, but could be anywhere a web application uses
> untrusted input in a response header. This type of vulnerability can
> exist in virtually any web application environment, including Java, .NET
> and PHP.
> This research builds on previous work in header injection and malicious
> file execution, and adds the ability to make the attack come from
> trusted domains. Although file download injection attacks are sent
> through the vulnerable application on their way to the browser for
> execution, they go beyond cross site scripting (XSS) as any file type
> can be injected. The attack is also different from HTTP response
> splitting as no second response is generated. Instead, the content of
> the original response is replaced.
> The paper examines various aspects of the attack, including both stored
> and hidden variants and issues related to Content-Length. Some advanced
> techniques for bypassing naive defenses are discussed. Finally, the
> requirements for a strong defense are presented. Organizations are
> encouraged to find and eliminate header injection vulnerabilities based
> on the severity of this attack.
> Full details in the white paper here:
> http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf
> --Jeff
> Jeff Williams
> Aspect Security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080407/22ae756e/attachment.html>

More information about the websecurity mailing list