9. Common Web Application Attacks

• Directory traversal

• File inclusion vulnerabilities

• File upload vulnerabilities

• Command injection

Leaks a file from the file system of the server

• Check for url parameters, e.g. content=index.html

• Unix via ../

• Windows via ../ or ..\

  
  

“includes” a file into the web applicaiton running code, which might enables code execution

content:

• local file inclusion (lfi)

• php wrappers

• remote file inclusion (rfi)

Setting

1. Assume directory travesal vuln, which might leak apache log files

2. Apache log file contains user-agent header of each request

3. Assume file inclusion vuln, where user can include files into the applications code (e.g. via php include statement)

Attack:

1. Perform request with poisoned user agent header, which contains php code

2. use file inclusion vuln to include apache log into application space and run malicious php code

if the attacker controls the php include statement, we can use php wrappers to execute code or exfiltrate php files (base64 encoded data)

• attacker controlled file can be included

• triggers RCE in php

• requires php setting “allow_ url include”

In general three types:

• upload executable code (e.g. PHP files)

• uploading files suffers from directory traversal, which allows us to overwrite system files (e.g. authorized keys)

  • or we can perform XSS or XXE attacks

• uploading files, which will be opened by victim (e.g. malicious .docx file) -> not relevant

• avatar, blog posts, CV upload, etc

• if uploads are filtered by extension, try to bypass the filter

• after upload, find directory and trigger execution

• the file upload might suffers from a directory travesal vulnerablity

• this might allow an attacker to overwrite system files, such as authorized_keys

• application does not sanitize user input correctly

• user can inject commands into server, which allows him to trigger RCE