This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.
Description
Attack Execution Flow
3
1
Step 1
Explore[Identify web application URL inputs] Review application inputs to find those that are designed to be URLs.
Manually navigate web site pages to identify URLs.
Use automated tools to identify URLs.
AI Translation
[Identifica gli input URL delle applicazioni web] Esamina gli input dell'applicazione per individuare quelli progettati come URL.
Naviga manualmente le pagine del sito web per identificare gli URL.
Utilizza strumenti automatizzati per identificare gli URL.
Attack Techniques
-
Manually navigate web site pages to identify URLs.
-
Use automated tools to identify URLs.IT: Navigare manualmente le pagine del sito web per identificare gli URL.
2
Step 2
Experiment[Identify URL inputs allowing local access.] Execute test local commands via each URL input to determine which are successful.
Manually execute a local command (such as 'pwd') via the URL inputs.
Using an automated tool, test each URL input for weakness.
AI Translation
[Identificare gli URL input che consentono l'accesso locale.] Eseguire comandi locali di test tramite ciascun URL input per determinare quali hanno successo.
Eseguire manualmente un comando locale (come 'pwd') tramite gli URL input.
Utilizzare uno strumento automatizzato per testare ogni URL input alla ricerca di vulnerabilità.
Attack Techniques
-
Manually execute a local command (such as 'pwd') via the URL inputs.
-
Using an automated tool, test each URL input for weakness.IT: Eseguire manualmente un comando locale (come 'pwd') tramite gli input URL.
3
Step 3
Exploit[Execute malicious commands] Using the identified URL inputs that allow local command execution, execute malicious commands.
Execute local commands via the URL input.
AI Translation
[Esecuzione di comandi dannosi] Utilizzando gli input URL identificati che consentono l'esecuzione di comandi locali, eseguire comandi dannosi.
Eseguire comandi locali tramite l'input URL.
Attack Techniques
-
Execute local commands via the URL input.
Mitigations
6
Design: Use Browser Technologies That Do Not Allow Client Side Scripting.
Implementation: Perform Input Validation For All Remote Content.
Implementation: Perform Output Validation For All Remote Content.
Implementation: Disable Scripting Languages Such As Javascript In Browser
Implementation: Ensure All Content That Is Delivered To Client Is Sanitized Against An Acceptable Content Specification.
Implementation: Ensure All Configuration Files And Resource Are Either Removed Or Protected When Promoting Code Into Production.
Consequences
Security Scopes Affected
Confidentiality
Integrity
Potential Impacts
Modify Data
Read Data