Reflected File Download vulnerability

OWASP 2013-A1 OWASP 2017-A1 PCI v3.2- CAPEC-375 CWE-840 ISO27001-A.14.2.5 WASC-42

Reflected File Download (RFD) is an attack executed through a combination of URL path segments with web services. An attacker can perform reflected file download attack through JSONP injection. This vulnerability is used to inject malware into the end users system. JSONP injection is an injection attack that affects the JSON files used in the application. An attacker can insert files on the API link using semicolons(;). When the link gets executed by the browser, it will consider it as a file and execute the file. The attacker can take leverage of this vulnerability to make the end users download the malicious file.

For an attacker to perform an RFD attack, the attacker must be able to:-

  • reflect and inject shell commands.
  • link files using APIs.
  • download the file.

Nowadays, a JSON and JSONP files are used by almost all web applications because the application can asynchronously load data into the pages. This implementation helps to reduce the amount of traffic between the application and clients.

Example

Consider the following link is vulnerable to reflected file download vulnerability.

https://example.beaglesecurity.com/s;/setup.bat;?q=rfd%22 calc 

In the above URL, everything between the semi-colons will not be processed. Instead, the browser will consider it as a file name and download it and execute the file without checking. The downloaded file will be executed as a batch file and calc.exe will be executed.

Impact

Using this attack, the attacker can do the following impacts:-

  • Gain complete control over the user’s machine.
  • Gain access to browsers like Google Chrome (even if, the communication is encrypted).
  • Exploit vulnerabilities using machine’s installed vulnerable software.

Mitigation / Precaution

Beagle recommends the following fixes-

  • Sanitise the application’s API input.
  • Add the Content-Disposition attachments in the application.
  • Add X-Content-Type-Options along with nosniff header to API responses.

Latest Articles