CAPEC-48
Passing Local Filenames to Functions That Expect a URL
Hoch
Hoch
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
2022-09-29
00h00 +00:00
00h00 +00:00
Benachrichtigung für ein CAPEC
Bleiben Sie über alle Änderungen zu einem bestimmten CAPEC informiert.
CAPEC-Beschreibungen
This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.
CAPEC-Informationen
Ausführungsablauf
1) Explore
[Identify web application URL inputs] Review application inputs to find those that are designed to be URLs.
Technik
- Manually navigate web site pages to identify URLs.
- Use automated tools to identify URLs.
2) Experiment
[Identify URL inputs allowing local access.] Execute test local commands via each URL input to determine which are successful.
Technik
- Manually execute a local command (such as 'pwd') via the URL inputs.
- Using an automated tool, test each URL input for weakness.
3) Exploit
[Execute malicious commands] Using the identified URL inputs that allow local command execution, execute malicious commands.
Technik
- Execute local commands via the URL input.
Voraussetzungen
The victim's software must not differentiate between the location and type of reference passed the client software, e.g. browserErforderliche Kenntnisse
Attacker identifies known local files to exploitGegenmaßnahmen
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production.
Design: Use browser technologies that do not allow client side scripting.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Verwandte Schwachstellen
| Name der Schwachstelle | |
|---|---|
CWE-241 |
Improper Handling of Unexpected Data Type The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). |
CWE-706 |
Use of Incorrectly-Resolved Name or Reference The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Referenzen
REF-1
Exploiting Software: How to Break CodeG. Hoglund, G. McGraw.
REF-416
Core Concepts: Attack Patternshttps://websec.io/2012/11/26/Core-Concepts-Attack-Patterns.html
Einreichung
| Name | Organisation | Datum | Veröffentlichungsdatum |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Änderungen
| Name | Organisation | Datum | Kommentar |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Attack_Phases, Description, Description Summary, References | |
| CAPEC Content Team | The MITRE Corporation | Updated Attack_Phases | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated @Abstraction | |
| CAPEC Content Team | The MITRE Corporation | Updated Example_Instances |
