Posts

Showing posts from January, 2013

Arbitray File Download

I just stumbled upon one great article. A nice article about what the arbitrary file download is and how dangerous it would be if exploited. Later the difference between arbitrary file download and LFI/ RFI has been discusses, which is a often confused topic.
What is Arbitrary File Download?
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
What is LFI/ RFI:
Often confused, LFI/RFI is different from the Arbitrary File Download vulnerability. However, both are used in combination if directory traversal is turned on in the server. LFI and RFI stands for Local File Inclusion and Remote File Inclusion vulnerability. Both are of similar nature, except the mode of exploitation. Both take advantage of unfiltered input file parameters used by web applications, predominantly PHP. LFI, while exploited uses any local file which is available at the sa…

Anti CSRF header

Recently I came across an application which was preventing crsf attacks using a unique non-traditional approach. In traditional approach the csrf is thwarted by embedding unique random tokens, called nonce, in each sensitive page. But this application, which was making ajax calls and used jQuery, was creating a header to identify the valid and invalid requests altogether. The idea is to generate a custom header, x-session-token in this case, with every request which is considered sensitive and includes any sort of transaction. For example:
xhr.setRequestHeader('x-session-token', csrf_token) At the server level, server checks for this header if found request is fulfilled, otherwise rejected.
We need to use xhr calls for making use of this technique, not useful in regular POST and GET requests. Since, I was not aware of this kind of countermeasures, probably, since most of the applications I did were using standard requests. So, I searched a bit and found even Google also uses …