Friday, November 16, 2018

Spoofing file extensions on HackerOne

While testing HackerOne, I observed an issue with the file upload functionality. It seems that on File upload, the uploader uses the content within the file for determining the content type of file instead of filetype .

Although this does not pose much of a risk since the changed extensions would be visible at download time but wanted to blog about this.

This raises below 2 scenario:

Scenario 1


  • Open the batch.cmd on the posted comment
  • Observe an image gets represented and their is no warning from HackerOne

  • User downloads the file, thinking of it as an image file 
  • if the user accidentally ignores the downloaded file extensions opens it then malicious batch file gets executed



Scenario 2 


  • Open the myFile.txt on the posted comment
  • You will see a warning from Hackerone, but since the file is txt file so user might just go ahead 

  • User downloads the file, thinking of it as an text file

  • if the user accidentally ignores the downloaded file extensions opens it then malicious HTML scripts execute


Reason:

  1. Content-Disposition: attachment; filename="" in response from hackerone-attachments.s3.amazonaws.com does not contain filename, forcing browser to decide the naming convention. 
  2. Since the Content type got decided on basis of file content header instead of extension by HackerOne so few browser would simply save it on user computer with incorrect extension, which caused the above Scenarios 1 and 2
HackerOne Report:
https://hackerone.com/reports/268123 (Closed as Informative)

No comments:

Post a Comment