Researcher Oren Hafif uncovered a new attack vector where the malicious file is downloaded without actually being uploaded anywhere.
Oren presented the new Web attack vector at the Black Hat Europe in Amsterdam.This attack injects commands (Command Injection) into a URL that will be injected in a given through a JSON file or JSONP response. What’s needed is an API that accepts user controlled input and reflects it into the response, similar to XSS. The File downloaded isn’t hosted on the targeted website, but instead it’s reflected from it. It appears to the user that the downloaded file is from a trusted source (google.com) but in fact is not hosted there.
When the victims click on the crafted link, the Web browser sends a request to the vulnerable website, which in turn sends back a response that’s saved by the browser on the victim’s computer as a file. The attacker can set the name of the malicious file in the URL that he sends to the victim.
For example, since Google Chrome if you click on a link to a URL with .bat Content-Type and lists it as an attachment, then the will file be downloaded automatically to the operating system. This happens in many kinds of extensions and in almost all browsers.
Reflected File Download Demo: Gmail : Zero X Dude
The BAT file takes advantage of the OR operator, || in the Windows interface commands giving it 2 commands.
The FIRST command gives FALSE so the SECOND command runs, and the calculator runs. If the FIRST command is TRUE then the SECOND command does not run.
Similar with JSON, command is injected directly and the command file is executed using a similar operator ||. If the FIRST command fails then this causes the SECOND command to execute.
Where can we find RFD?
- Any response with reflected input and less common Content-Type.
- JSON APIs and JSONP are extremely vulnerable.
- URL Mapping is Permissive (‘/’ , ‘;’)
How to Fix RFD?
- Use exact URL mapping –no wildcards!
- Do not escape! Encode! \”\u0022 or \x22
- Require Custom Headers for all APIs
- If possible use CSRF tokens
- Add Content-Disposition w/ filename att.:Content-Disposition: attachment; filename=1.txt
- Whitelist Callbacks –reflected by default!
- Enforce XSSI mitigation like for(;;);
- Never include user input in API usage errors.