January 29, 2020 · Web

10 Web Vulnerabilities That You Should Be on the Lookout For

These are some interesting web attacks that I have either found, read about or theorized. They should all work in practice.

1. Unicode Transliteration (Best-Fit Mapping)
Unicode transliteration is the replacement of non-ASCII characters with their ASCII approximations (e.g. <script> would become <script>). This can be used to bypass input validation if the transliteration happens after validation.

For example, imagine a web application that disallowed the < and > characters on an input field, unsafely display the input field and stored data in ASCII format. The Unicode characters <and > could be used to bypass the input validation, but would be covered to their ASCII equivalents when stored in the database, leading to an XSS vulnerability.

2. Race Conditions / Asynchronous Requests
Race conditions in web applications are real and can be exploited to perform malicious actions. The Burp Turbo Intruder extension can be used to make asynchronous requests to execute security sensitive business logic in parallel. This can be abused to claim gift cards multiple times or bypass coupon code limits.

For example, if the backend logic that evaluates whether someone has previously claimed a coupon code is not thread-safe, then two requests being processed asynchronously would pass the preconditions of the coupon code being unclaimed and apply the discount/grant to the order/account multiple times.

3. Injection through Optical Character Recognition (OCR)
Data obtained from OCR systems is often trusted, stored in the database and displayed for user confirmation. If the OCR data is not considered arbitrary, then the application might contain input injection vulnerabilities.

For example, a web application that scans standardized documents such as drivers licenses might not have considered a crafted picture with quote symbols in the license number or the < and > symbols in the name. This can lead to SQL injection and XSS respectively.

4. Server-Side Request Forgery in PDF Generators
XSS vulnerabilities found within PDF documents generated by the application can lead to Server-Side Request Forgery vulnerabilities which are often more severe.

For example, if you discover XSS within a PDF file generated by an application, you can execute JavaScript inside a browser on the server. This can be used to enumerated the internet network, access internal web servers and in some situations result in arbitrary command execution.

5. X-HTTP-Method-Override
The headers X-HTTP-Method-Override, X-HTTP-Method or X-METHOD-OVERRIDE requests a web application to override the method specified in the request with the method given in the header field. This can be used to bypass HTTP method restrictions configured on web application firewalls or access additional methods within a cross-site request forgery attack. The trick managed to earn @Zigoo0 a large reward in the Google bug bounty program when used as part of a vulnerability chain to achieve remote code execution.

6. Hop-by-Hop Headers
The "Connection" header defines a set of headers that are designed to be removed by the proxy handling the request. This can be abused to remove security sensitive headers such as X-Forwarded-For.

For example, if a web application treats requests from the internal network as authenticated, and uses the X-Forwarded-For header to determine the IP address, then removing the X-Forwarded-For header can cause intermediate proxies to behave unexpectedly. This can result in the requests appearing to have originated from the internal network and being treated as authenticated. This scenario and more are detailed in the blog post Abusing HTTP hop-by-hop request headers by @nj_dav.

7. ZipSlip
The ZipSlip vulnerability abuses the fact that the zip archive specification allows path traversal characters in filenames (for example a file can be named "../../../../var/www/html/shell.php") and developers often handle the edge-case poorly. The vulnerability can be leveraged to place files in arbitrary locations on a web server which often results in remote code execution.

The root-cause is when a filename (e.g. ../../../../var/www/html/shell.php) is concatenated with a destination directory (e.g. /tmp/28_01_2020/extracted_data/) without being validated. This results in the file being extracted into the incorrect directory (/var/www/html/shell.php). A detailed explanation exists in the blog Zip Slip Vulnerability.

8. OrderBy Data Leakage
Applications that contains an OrderBy or equivalent parameter view viewing data will often allow arbitrary values as long as its a valid column within the database table. This can be leveraged as an oracle to disclose sensitive information such as passwords even when the database column is never displayed.

For example, imagine a web application that displayed a list of ordered users using some type of OrderBy parameter. The interface would most likely only support ordering on the displayed fields, but if we guessed that accounts probably have a password column and set OrderBy=password, this can be used to disclose passwords.

The attacks works because we can create accounts with the passwords AAAAA, BBBBB, CCCCC, ..., ZZZZZ and then use the ordering to determine the first character of a targeted accounts password. This would have to be repeated for every character in the password. If the first character was F, the next set of accounts would have the passwords FAAAA, FBBBB, FCCCC, ..., FZZZZ to determine the next character and-so-forth.

In practice the character-set will be much larger and require the creation of hundreds of accounts. This can be optimized with a binary search pattern, and the fact that most passwords are English words. The one caveat would be if passwords are stored hashed as this would complicate the attack, if not making it impossible.

9. Password Reset Link Poisoning
Web applications that use the user-controlled Host header to generate password reset links for account recovery purposes are vulnerable to Password Reset Link Poisoning. By supplying an attacker controlled domain in the Host header, the application can be coerced to create password reset links, that when visited, send the reset token to the attacker. In most account recovery workflows this results in the victim account being fully compromised.

10. Insecure File Upload
Developers that blacklist instead of whitelist file extensions in file upload functionality are playing a dangerous game. There are numerous file extensions that can be used to gain remote code execution that are not obvious. Configurations files like .htaccess, web.config and __init__.py can all be used to achieve remote code execution are often missed. A good resource of examples can be found in PayloadsAllTheThings and the issues can be seen in practice here.