From 93cf1309e8720bedb6c5434a8170e2eca7d63b37 Mon Sep 17 00:00:00 2001 From: doverh Date: Wed, 17 Apr 2024 14:48:49 -0400 Subject: [PATCH 01/32] Add tests for Archive Directory Traversal --- .../09-Test_Upload_of_Malicious_Files.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index fa35bf2b06..d0d0f2f461 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -93,6 +93,39 @@ When this file is uploaded, it should be detected and quarantined or deleted by If the application extracts archives (such as Zip files), then it may be possible to write to unintended locations using directory traversal. This can be exploited by uploading a malicious zip file that contains paths that traverse the file system using sequences such as `..\..\..\..\shell.php`. This technique is discussed further in the [snyk advisory](https://snyk.io/research/zip-slip-vulnerability). +A test against Archive Directory Traversal should include two parts: + +1. A malicious archive that breaks out of the target directory when extracted. For example, a compressed file contains two files: a “notinfected.sh” file, that is extracted into the target directory, and a “infected.sh” file, that attempts to navigate to the directory tree to hit the root folder and adds a file into the tmp directory. A malicious path could contain many levels of "../" (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. + +2. A functionality is required to extract compressed files, either using your own code or a library. Vulnerability exists when the extraction functionality don’t validate file paths in the archive. An example of a vulnerable code in Java can be seen below. + +```java +1: Enumerationentries=​​zip​.g​etEntries(); +2: while(entries​.h​asMoreElements()){ +3: ZipEntry e ​=​entries.nextElement(); +4: File f = new File(destinationDir, e.getName()); +5: InputStream input =​​zip​.g​etInputStream(e); +6: IOUtils​.c​opy(input, write(f)); +7: } +``` + +Additional testing techniques: + +- Upload a malicious zip file and try to remote access this file when upload is completed. [Watch it in action here](https://www.youtube.com/watch?v=l1MT5lr4p9o) +- In the pipeline: Include a unit test that uploads an infected compressed file against the extraction method. +- Validate that libraries being used by the application have been (patched for this vulnerability)[https://github.com/snyk/zip-slip-vulnerability#affected-libraries] +- Review implementation of upload methods in the application looking for vulnerable code. +- Vulnerability in the Java code above could be prevented by including a test that throws an exception: + +```java +1: StringcanonicalDestinationDirPath=destinationDir.getCanonicalPath(); +2: Filedestinationfile=newFile(destinationDir,e.getName()); +3: StringcanonicalDestinationFile=destinationfile.getCanonicalPath(); +4: if(!canonicalDestinationFile.startsWith(canonicalDestinationDirPath+File.separator)){ +5: throw new ArchiverException("Entry is outside of the target dir: " + e.getName()); +6: } +``` + #### Zip Bombs A [Zip bomb](https://en.wikipedia.org/wiki/Zip_bomb) (more generally known as a decompression bomb) is an archive file that contains a large volume of data. It's intended to cause a denial of service by exhausting the disk space or memory of the target system that tries to extract the archive. Note that although the Zip format is the most used example for this, other formats are also affected, including gzip (which is frequently used to compress data in transit). @@ -158,3 +191,4 @@ Fully protecting against malicious file upload can be complex, and the exact ste - [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) - [Implementing Secure File Upload](https://infosecauditor.wordpress.com/tag/malicious-file-upload/) - [Metasploit Generating Payloads](https://www.offensive-security.com/metasploit-unleashed/Generating_Payloads) +- [Zip Slip](https://res.cloudinary.com/snyk/image/upload/v1528192501/zip-slip-vulnerability/technical-whitepaper.pdf) \ No newline at end of file From 7d3de99211324d6a486693558ebfacf010794310 Mon Sep 17 00:00:00 2001 From: doverh Date: Wed, 17 Apr 2024 17:26:49 -0400 Subject: [PATCH 02/32] Update eicar link and fix md issues --- .../09-Test_Upload_of_Malicious_Files.md | 38 +++++++++---------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index d0d0f2f461..06f9f4e795 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -22,7 +22,7 @@ A common example of this vulnerability is an application such as a blog or forum - Identify the file upload functionality. - Review the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious. - - If documentation is not available then consider what would be appropriate based on the purpose of the application. +- If documentation is not available then consider what would be appropriate based on the purpose of the application. - Determine how the uploaded files are processed. - Obtain or create a set of malicious files for testing. - Try to upload the malicious files to the application and determine whether it is accepted and processed. @@ -83,38 +83,36 @@ Once the file type has been validated, it is important to also ensure that the c #### Malware -Applications should generally scan uploaded files with anti-malware software to ensure that they do not contain anything malicious. The easiest way to test for this is using the [EICAR test file](https://www.eicar.org/?page_id=3950), which is an safe file that is flagged as malicious by all anti-malware software. +Applications should generally scan uploaded files with anti-malware software to ensure that they do not contain anything malicious. The easiest way to test for this is using the [EICAR test file](https://www.eicar.org/download-anti-malware-testfile/), which is an safe file that is flagged as malicious by all anti-malware software. Depending on the type of application, it may be necessary to test for other dangerous file types, such as Office documents containing malicious macros. Tools such as the [Metasploit Framework](https://github.com/rapid7/metasploit-framework) and the [Social Engineer Toolkit (SET)](https://github.com/trustedsec/social-engineer-toolkit) can be used to generate malicious files for various formats. -When this file is uploaded, it should be detected and quarantined or deleted by the application. Depending on how the application processes the file, it may not be obvious whether this has taken place. +When this file is uploaded, it should be detected and quarantined or deleted by the application. Depending on how the application processes the file, it may not be obvious whether this has taken place. #### Archive Directory Traversal -If the application extracts archives (such as Zip files), then it may be possible to write to unintended locations using directory traversal. This can be exploited by uploading a malicious zip file that contains paths that traverse the file system using sequences such as `..\..\..\..\shell.php`. This technique is discussed further in the [snyk advisory](https://snyk.io/research/zip-slip-vulnerability). +If the application extracts archives (such as ZIP files), then it may be possible to write to unintended locations using directory traversal. This can be exploited by uploading a malicious ZIP file that contains paths that traverse the file system using sequences such as `..\..\..\..\shell.php`. This technique is discussed further in the [snyk advisory](https://snyk.io/research/ZIP-slip-vulnerability). A test against Archive Directory Traversal should include two parts: - -1. A malicious archive that breaks out of the target directory when extracted. For example, a compressed file contains two files: a “notinfected.sh” file, that is extracted into the target directory, and a “infected.sh” file, that attempts to navigate to the directory tree to hit the root folder and adds a file into the tmp directory. A malicious path could contain many levels of "../" (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. -2. A functionality is required to extract compressed files, either using your own code or a library. Vulnerability exists when the extraction functionality don’t validate file paths in the archive. An example of a vulnerable code in Java can be seen below. +1. A malicious archive that breaks out of the target directory when extracted. For example, a compressed file contains two files: a “notinfected.sh” file, that is extracted into the target directory, and a “infected.sh” file, that attempts to navigate to the directory tree to hit the root folder and adds a file into the tmp directory. A malicious path could contain many levels of "../" (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory.2. A functionality is required to extract compressed files, either using your own code or a library. Vulnerability exists when the extraction functionality don’t validate file paths in the archive. An example of a vulnerable code in Java can be seen below. ```java -1: Enumerationentries=​​zip​.g​etEntries(); +1: Enumerationentries=​​ZIP​.g​etEntries(); 2: while(entries​.h​asMoreElements()){ -3: ZipEntry e ​=​entries.nextElement(); +3: ZIPEntry e ​=​entries.nextElement(); 4: File f = new File(destinationDir, e.getName()); -5: InputStream input =​​zip​.g​etInputStream(e); +5: InputStream input =​​ZIP​.g​etInputStream(e); 6: IOUtils​.c​opy(input, write(f)); 7: } ``` Additional testing techniques: -- Upload a malicious zip file and try to remote access this file when upload is completed. [Watch it in action here](https://www.youtube.com/watch?v=l1MT5lr4p9o) +- Upload a malicious ZIP file and try to remote access this file when upload is completed. [Watch it in action here](https://www.youtube.com/watch?v=l1MT5lr4p9o) - In the pipeline: Include a unit test that uploads an infected compressed file against the extraction method. -- Validate that libraries being used by the application have been (patched for this vulnerability)[https://github.com/snyk/zip-slip-vulnerability#affected-libraries] -- Review implementation of upload methods in the application looking for vulnerable code. +- Validate that libraries being used by the application have been [patched for this vulnerability](https://github.com/snyk/ZIP-slip-vulnerability#affected-libraries) +- Review implementation of upload methods in the application looking for vulnerable code. - Vulnerability in the Java code above could be prevented by including a test that throws an exception: ```java @@ -126,19 +124,19 @@ Additional testing techniques: 6: } ``` -#### Zip Bombs +#### ZIP Bombs -A [Zip bomb](https://en.wikipedia.org/wiki/Zip_bomb) (more generally known as a decompression bomb) is an archive file that contains a large volume of data. It's intended to cause a denial of service by exhausting the disk space or memory of the target system that tries to extract the archive. Note that although the Zip format is the most used example for this, other formats are also affected, including gzip (which is frequently used to compress data in transit). +A [ZIP bomb](https://en.wikipedia.org/wiki/ZIP_bomb) (more generally known as a decompression bomb) is an archive file that contains a large volume of data. It's intended to cause a denial of service by exhausting the disk space or memory of the target system that tries to extract the archive. Note that although the ZIP format is the most used example for this, other formats are also affected, including gZIP (which is frequently used to compress data in transit). -At its simplest level, a Zip bomb can be created by compressing a large file consisting of a single character. The example below shows how to create a 1MB file that will decompress to 1GB: +At its simplest level, a ZIP bomb can be created by compressing a large file consisting of a single character. The example below shows how to create a 1MB file that will decompress to 1GB: ```bash -dd if=/dev/zero bs=1M count=1024 | zip -9 > bomb.zip +dd if=/dev/zero bs=1M count=1024 | ZIP -9 > bomb.ZIP ``` -There are a number of methods that can be used to achieve much higher compression ratios, including multiple levels of compression, [abusing the Zip format](https://www.bamsoftware.com/hacks/zipbomb/) and [quines](https://research.swtch.com/zip) (which are archives that contain a copy of themselves, causing infinite recursion). +There are a number of methods that can be used to achieve much higher compression ratios, including multiple levels of compression, [abusing the ZIP format](https://www.bamsoftware.com/hacks/ZIPbomb/) and [quines](https://research.swtch.com/ZIP) (which are archives that contain a copy of themselves, causing infinite recursion). -A successful Zip bomb attack will result in a denial of service, and can also lead to increased costs if an auto-scaling cloud platform is used. **Do not carry out this kind of attack unless you have considered these risks and have written approval to do so.** +A successful ZIP bomb attack will result in a denial of service, and can also lead to increased costs if an auto-scaling cloud platform is used. **Do not carry out this kind of attack unless you have considered these risks and have written approval to do so.** #### XML Files @@ -191,4 +189,4 @@ Fully protecting against malicious file upload can be complex, and the exact ste - [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) - [Implementing Secure File Upload](https://infosecauditor.wordpress.com/tag/malicious-file-upload/) - [Metasploit Generating Payloads](https://www.offensive-security.com/metasploit-unleashed/Generating_Payloads) -- [Zip Slip](https://res.cloudinary.com/snyk/image/upload/v1528192501/zip-slip-vulnerability/technical-whitepaper.pdf) \ No newline at end of file +- [ZIP Slip](https://res.cloudinary.com/snyk/image/upload/v1528192501/ZIP-slip-vulnerability/technical-whitepaper.pdf) From 391859b7c0b45435bb122ec1d6cc798c87a6b317 Mon Sep 17 00:00:00 2001 From: doverh Date: Wed, 17 Apr 2024 17:39:48 -0400 Subject: [PATCH 03/32] Update ZIP links and fix Nginx terminology --- .../09-Test_Upload_of_Malicious_Files.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 06f9f4e795..9e0be74089 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -75,7 +75,7 @@ If the filtering is performed on the server-side, then various techniques can be - Change the capitalisation of the extension, such as `file.PhP` or `file.AspX` - If the request includes multiple filenames, change them to different values. - Using special trailing characters such as spaces, dots or null characters such as `file.asp...`, `file.php;jpg`, `file.asp%00.jpg`, `1.jpg%00.php` -- In badly configured versions of nginx, uploading a file as `test.jpg/x.php` may allow it to be executed as `x.php`. +- In badly configured versions of Nginx, uploading a file as `test.jpg/x.php` may allow it to be executed as `x.php`. ### Malicious File Contents @@ -126,7 +126,7 @@ Additional testing techniques: #### ZIP Bombs -A [ZIP bomb](https://en.wikipedia.org/wiki/ZIP_bomb) (more generally known as a decompression bomb) is an archive file that contains a large volume of data. It's intended to cause a denial of service by exhausting the disk space or memory of the target system that tries to extract the archive. Note that although the ZIP format is the most used example for this, other formats are also affected, including gZIP (which is frequently used to compress data in transit). +A [ZIP bomb](https://en.wikipedia.org/wiki/zip_bomb) (more generally known as a decompression bomb) is an archive file that contains a large volume of data. It's intended to cause a denial of service by exhausting the disk space or memory of the target system that tries to extract the archive. Note that although the ZIP format is the most used example for this, other formats are also affected, including gZIP (which is frequently used to compress data in transit). At its simplest level, a ZIP bomb can be created by compressing a large file consisting of a single character. The example below shows how to create a 1MB file that will decompress to 1GB: @@ -134,7 +134,7 @@ At its simplest level, a ZIP bomb can be created by compressing a large file con dd if=/dev/zero bs=1M count=1024 | ZIP -9 > bomb.ZIP ``` -There are a number of methods that can be used to achieve much higher compression ratios, including multiple levels of compression, [abusing the ZIP format](https://www.bamsoftware.com/hacks/ZIPbomb/) and [quines](https://research.swtch.com/ZIP) (which are archives that contain a copy of themselves, causing infinite recursion). +There are a number of methods that can be used to achieve much higher compression ratios, including multiple levels of compression, [abusing the ZIP format](https://www.bamsoftware.com/hacks/zipbomb/) and [quines](https://research.swtch.com/zip) (which are archives that contain a copy of themselves, causing infinite recursion). A successful ZIP bomb attack will result in a denial of service, and can also lead to increased costs if an auto-scaling cloud platform is used. **Do not carry out this kind of attack unless you have considered these risks and have written approval to do so.** From 490abdfa579c0d4e41967503e5b60b55a886af56 Mon Sep 17 00:00:00 2001 From: doverh Date: Wed, 17 Apr 2024 21:21:59 -0400 Subject: [PATCH 04/32] Review sentences --- .../09-Test_Upload_of_Malicious_Files.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 9e0be74089..90a75db916 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -95,14 +95,15 @@ If the application extracts archives (such as ZIP files), then it may be possibl A test against Archive Directory Traversal should include two parts: -1. A malicious archive that breaks out of the target directory when extracted. For example, a compressed file contains two files: a “notinfected.sh” file, that is extracted into the target directory, and a “infected.sh” file, that attempts to navigate to the directory tree to hit the root folder and adds a file into the tmp directory. A malicious path could contain many levels of "../" (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory.2. A functionality is required to extract compressed files, either using your own code or a library. Vulnerability exists when the extraction functionality don’t validate file paths in the archive. An example of a vulnerable code in Java can be seen below. +1. A malicious archive, that extracted breaks out of the target directory. A compressed file could contains two files: a “notinfected.sh” file, extracted into the target directory, and a “infected.sh” file, that attempts to navigate to the directory tree to hit the root folder - adding a file into the tmp directory. A malicious path could contain many levels of "../" (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. +2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerability exists when the extraction functionality don’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: ```java -1: Enumerationentries=​​ZIP​.g​etEntries(); +1: Enumerationentries=​​zip​.g​etEntries(); 2: while(entries​.h​asMoreElements()){ -3: ZIPEntry e ​=​entries.nextElement(); +3: ZipEntry e ​=​entries.nextElement(); 4: File f = new File(destinationDir, e.getName()); -5: InputStream input =​​ZIP​.g​etInputStream(e); +5: InputStream input =zip​.g​etInputStream(e); 6: IOUtils​.c​opy(input, write(f)); 7: } ``` @@ -110,10 +111,9 @@ A test against Archive Directory Traversal should include two parts: Additional testing techniques: - Upload a malicious ZIP file and try to remote access this file when upload is completed. [Watch it in action here](https://www.youtube.com/watch?v=l1MT5lr4p9o) -- In the pipeline: Include a unit test that uploads an infected compressed file against the extraction method. -- Validate that libraries being used by the application have been [patched for this vulnerability](https://github.com/snyk/ZIP-slip-vulnerability#affected-libraries) -- Review implementation of upload methods in the application looking for vulnerable code. -- Vulnerability in the Java code above could be prevented by including a test that throws an exception: +- Include a unit test to upload an infected compressed file on the extraction method. +- Validate that libraries being used have been [patched for this vulnerability.](https://github.com/snyk/ZIP-slip-vulnerability#affected-libraries) +- Include a validation that throws an exception when vulnerabilities is included, like in the example below: ```java 1: StringcanonicalDestinationDirPath=destinationDir.getCanonicalPath(); @@ -126,12 +126,12 @@ Additional testing techniques: #### ZIP Bombs -A [ZIP bomb](https://en.wikipedia.org/wiki/zip_bomb) (more generally known as a decompression bomb) is an archive file that contains a large volume of data. It's intended to cause a denial of service by exhausting the disk space or memory of the target system that tries to extract the archive. Note that although the ZIP format is the most used example for this, other formats are also affected, including gZIP (which is frequently used to compress data in transit). +A [ZIP bomb](https://en.wikipedia.org/wiki/zip_bomb) (more generally known as a decompression bomb) is an archive file that contains a large volume of data. It's intended to cause a denial of service by exhausting the disk space or memory of the target system that tries to extract the archive. Note that although the ZIP format is the most used example for this, other formats are also affected, including gzip (which is frequently used to compress data in transit). At its simplest level, a ZIP bomb can be created by compressing a large file consisting of a single character. The example below shows how to create a 1MB file that will decompress to 1GB: ```bash -dd if=/dev/zero bs=1M count=1024 | ZIP -9 > bomb.ZIP +dd if=/dev/zero bs=1M count=1024 | zip -9 > bomb.zip ``` There are a number of methods that can be used to achieve much higher compression ratios, including multiple levels of compression, [abusing the ZIP format](https://www.bamsoftware.com/hacks/zipbomb/) and [quines](https://research.swtch.com/zip) (which are archives that contain a copy of themselves, causing infinite recursion). From ebee495d66a424e1fb0425791427ef82bb74d834 Mon Sep 17 00:00:00 2001 From: doverh Date: Thu, 18 Apr 2024 15:22:30 -0400 Subject: [PATCH 05/32] Update based on comments --- .../09-Test_Upload_of_Malicious_Files.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 90a75db916..ff14a90283 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -22,7 +22,7 @@ A common example of this vulnerability is an application such as a blog or forum - Identify the file upload functionality. - Review the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious. -- If documentation is not available then consider what would be appropriate based on the purpose of the application. + - If documentation is not available then consider what would be appropriate based on the purpose of the application. - Determine how the uploaded files are processed. - Obtain or create a set of malicious files for testing. - Try to upload the malicious files to the application and determine whether it is accepted and processed. @@ -91,37 +91,37 @@ When this file is uploaded, it should be detected and quarantined or deleted by #### Archive Directory Traversal -If the application extracts archives (such as ZIP files), then it may be possible to write to unintended locations using directory traversal. This can be exploited by uploading a malicious ZIP file that contains paths that traverse the file system using sequences such as `..\..\..\..\shell.php`. This technique is discussed further in the [snyk advisory](https://snyk.io/research/ZIP-slip-vulnerability). +If the application extracts archives (such as ZIP files), then it may be possible to write to unintended locations using directory traversal. This can be exploited by uploading a malicious ZIP file that contains paths that traverse the file system using sequences such as `..\..\..\..\shell.php`. This technique is discussed further in the [snyk advisory](https://snyk.io/research/zip-slip-vulnerability). A test against Archive Directory Traversal should include two parts: -1. A malicious archive, that extracted breaks out of the target directory. A compressed file could contains two files: a “notinfected.sh” file, extracted into the target directory, and a “infected.sh” file, that attempts to navigate to the directory tree to hit the root folder - adding a file into the tmp directory. A malicious path could contain many levels of "../" (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. -2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerability exists when the extraction functionality don’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: +1. A malicious archive, that extracted breaks out of the target directory. A compressed file could contains two files: a 'notinfected.sh' file, extracted into the target directory, and a 'infected.sh' file, that attempts to navigate to the directory tree to hit the root folder - adding a file into the tmp directory. A malicious path could contain many levels of '../' (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. +2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerabilities exists when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: ```java -1: Enumerationentries=​​zip​.g​etEntries(); -2: while(entries​.h​asMoreElements()){ -3: ZipEntry e ​=​entries.nextElement(); -4: File f = new File(destinationDir, e.getName()); -5: InputStream input =zip​.g​etInputStream(e); -6: IOUtils​.c​opy(input, write(f)); -7: } + Enumerationentries=​​zip​.g​etEntries(); + while(entries​.h​asMoreElements()){ + ZipEntry e ​=​entries.nextElement(); + File f = new File(destinationDir, e.getName()); + InputStream input =zip​.g​etInputStream(e); + IOUtils​.c​opy(input, write(f)); + } ``` Additional testing techniques: - Upload a malicious ZIP file and try to remote access this file when upload is completed. [Watch it in action here](https://www.youtube.com/watch?v=l1MT5lr4p9o) -- Include a unit test to upload an infected compressed file on the extraction method. -- Validate that libraries being used have been [patched for this vulnerability.](https://github.com/snyk/ZIP-slip-vulnerability#affected-libraries) +- Include a unit test to upload an infected compressed file then execute the extraction method. +- Validate that libraries being used have been [patched for this vulnerability.](https://github.com/snyk/zip-slip-vulnerability#affected-libraries) - Include a validation that throws an exception when vulnerabilities is included, like in the example below: ```java -1: StringcanonicalDestinationDirPath=destinationDir.getCanonicalPath(); -2: Filedestinationfile=newFile(destinationDir,e.getName()); -3: StringcanonicalDestinationFile=destinationfile.getCanonicalPath(); -4: if(!canonicalDestinationFile.startsWith(canonicalDestinationDirPath+File.separator)){ -5: throw new ArchiverException("Entry is outside of the target dir: " + e.getName()); -6: } + StringcanonicalDestinationDirPath=destinationDir.getCanonicalPath(); + Filedestinationfile=newFile(destinationDir,e.getName()); + StringcanonicalDestinationFile=destinationfile.getCanonicalPath(); + if(!canonicalDestinationFile.startsWith(canonicalDestinationDirPath+File.separator)){ + throw new ArchiverException("Entry is outside of the target dir: " + e.getName()); + } ``` #### ZIP Bombs @@ -189,4 +189,4 @@ Fully protecting against malicious file upload can be complex, and the exact ste - [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) - [Implementing Secure File Upload](https://infosecauditor.wordpress.com/tag/malicious-file-upload/) - [Metasploit Generating Payloads](https://www.offensive-security.com/metasploit-unleashed/Generating_Payloads) -- [ZIP Slip](https://res.cloudinary.com/snyk/image/upload/v1528192501/ZIP-slip-vulnerability/technical-whitepaper.pdf) +- [Zip Slip](https://res.cloudinary.com/snyk/image/upload/v1528192501/zip-slip-vulnerability/technical-whitepaper.pdf) From 8795fb31b2c55021cafe8c184c2daaba13627934 Mon Sep 17 00:00:00 2001 From: doverh Date: Thu, 18 Apr 2024 15:25:42 -0400 Subject: [PATCH 06/32] Fix md issues --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index ff14a90283..59fce817e5 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -189,4 +189,4 @@ Fully protecting against malicious file upload can be complex, and the exact ste - [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) - [Implementing Secure File Upload](https://infosecauditor.wordpress.com/tag/malicious-file-upload/) - [Metasploit Generating Payloads](https://www.offensive-security.com/metasploit-unleashed/Generating_Payloads) -- [Zip Slip](https://res.cloudinary.com/snyk/image/upload/v1528192501/zip-slip-vulnerability/technical-whitepaper.pdf) +- [ZIP Slip](https://res.cloudinary.com/snyk/image/upload/v1528192501/zip-slip-vulnerability/technical-whitepaper.pdf) From 668751854a12f64f41fe84235e44c77894d8ae99 Mon Sep 17 00:00:00 2001 From: doverh Date: Thu, 18 Apr 2024 15:31:07 -0400 Subject: [PATCH 07/32] Fix subpoint --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 59fce817e5..bf65b6d95a 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -22,7 +22,7 @@ A common example of this vulnerability is an application such as a blog or forum - Identify the file upload functionality. - Review the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious. - - If documentation is not available then consider what would be appropriate based on the purpose of the application. + - If documentation is not available then consider what would be appropriate based on the purpose of the application. - Determine how the uploaded files are processed. - Obtain or create a set of malicious files for testing. - Try to upload the malicious files to the application and determine whether it is accepted and processed. From 50a6022b923b6ebcd5752fcd5c7850c100d8e496 Mon Sep 17 00:00:00 2001 From: doverh Date: Thu, 18 Apr 2024 18:39:35 -0400 Subject: [PATCH 08/32] Update text part of the test section --- .../09-Test_Upload_of_Malicious_Files.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index bf65b6d95a..aea3f38cc6 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -95,8 +95,8 @@ If the application extracts archives (such as ZIP files), then it may be possibl A test against Archive Directory Traversal should include two parts: -1. A malicious archive, that extracted breaks out of the target directory. A compressed file could contains two files: a 'notinfected.sh' file, extracted into the target directory, and a 'infected.sh' file, that attempts to navigate to the directory tree to hit the root folder - adding a file into the tmp directory. A malicious path could contain many levels of '../' (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. -2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerabilities exists when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: +1. A malicious archive that breaks out of the target directory when extracted. This malicious archive can contain two files: a 'notinfected.sh' file, extracted into the target directory, and also an 'infected.sh' file, that intends to navigate your way to the root folder and infect the tmp directory. A malicious path can contain many levels of '../' (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. +2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerabilities exist when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: ```java Enumerationentries=​​zip​.g​etEntries(); From 509f2b1fdcc3c7ccbaebcfb02615e4303adc7294 Mon Sep 17 00:00:00 2001 From: doverh Date: Thu, 18 Apr 2024 18:50:04 -0400 Subject: [PATCH 09/32] Remove double space line 90 --- .../09-Test_Upload_of_Malicious_Files.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index aea3f38cc6..6d9dd965b1 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -87,7 +87,7 @@ Applications should generally scan uploaded files with anti-malware software to Depending on the type of application, it may be necessary to test for other dangerous file types, such as Office documents containing malicious macros. Tools such as the [Metasploit Framework](https://github.com/rapid7/metasploit-framework) and the [Social Engineer Toolkit (SET)](https://github.com/trustedsec/social-engineer-toolkit) can be used to generate malicious files for various formats. -When this file is uploaded, it should be detected and quarantined or deleted by the application. Depending on how the application processes the file, it may not be obvious whether this has taken place. +When this file is uploaded, it should be detected and quarantined or deleted by the application. Depending on how the application processes the file, it may not be obvious whether this has taken place. #### Archive Directory Traversal @@ -95,7 +95,7 @@ If the application extracts archives (such as ZIP files), then it may be possibl A test against Archive Directory Traversal should include two parts: -1. A malicious archive that breaks out of the target directory when extracted. This malicious archive can contain two files: a 'notinfected.sh' file, extracted into the target directory, and also an 'infected.sh' file, that intends to navigate your way to the root folder and infect the tmp directory. A malicious path can contain many levels of '../' (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. +1. A malicious archive that breaks out of the target directory when extracted. This malicious archive can contain two files: a 'notinfected.sh' file, extracted into the target directory, and also an 'infected.sh' file, that attempts to navigate up the directory tree to hit the root folder - adding a file into the tmp directory. A malicious path can contain many levels of '../' (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. 2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerabilities exist when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: ```java From 850db572a09b1331537a3e58425caed066e4f101 Mon Sep 17 00:00:00 2001 From: doverh Date: Tue, 23 Apr 2024 15:57:07 -0400 Subject: [PATCH 10/32] Update testing steps --- .../09-Test_Upload_of_Malicious_Files.md | 37 +++++++++++-------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 6d9dd965b1..e73fe3abd9 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -95,34 +95,40 @@ If the application extracts archives (such as ZIP files), then it may be possibl A test against Archive Directory Traversal should include two parts: -1. A malicious archive that breaks out of the target directory when extracted. This malicious archive can contain two files: a 'notinfected.sh' file, extracted into the target directory, and also an 'infected.sh' file, that attempts to navigate up the directory tree to hit the root folder - adding a file into the tmp directory. A malicious path can contain many levels of '../' (i.e. ../../../../../../../../tmp/infected.sh) to stand a better chance of reaching the root directory. +1. A malicious archive that breaks out of the target directory when extracted. This malicious archive can contain two files: a 'base' file, extracted into the target directory, and also an 'traversed' file, that attempts to navigate up the directory tree to hit the root folder - adding a file into the tmp directory. A malicious path can contain many levels of '../' (i.e. ../../../../../../../../tmp/traversed) to stand a better chance of reaching the root directory. 2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerabilities exist when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: ```java Enumerationentries=​​zip​.g​etEntries(); while(entries​.h​asMoreElements()){ - ZipEntry e ​=​entries.nextElement(); + ZipEntry e ​= ​entries.nextElement(); File f = new File(destinationDir, e.getName()); - InputStream input =zip​.g​etInputStream(e); + InputStream input = zip​.g​etInputStream(e); IOUtils​.c​opy(input, write(f)); } ``` Additional testing techniques: -- Upload a malicious ZIP file and try to remote access this file when upload is completed. [Watch it in action here](https://www.youtube.com/watch?v=l1MT5lr4p9o) +- Upload a malicious ZIP file and try to remote access this file when upload is completed. + 1. Open a new terminal and create a new folder: + mkdir ZipFiles + 2. Create a base file: + touch base.txt + 3. Open this file, add a simple note and save it. + 4. Create a traversed file that matches a local or remote directory: + touch ../../../../../../../../tmp/traversed + 5. Open this file and a message to echo (executing this file should echo this message): + echo "Your message here" + 6. Create the zip file: + zip -r + 7. Validate files compressed + jar -tvf + 8. Load this zip file in the target application. + 9. Verify that the two files are located within different folders on the web server after the archive has been extracted. + - Include a unit test to upload an infected compressed file then execute the extraction method. - Validate that libraries being used have been [patched for this vulnerability.](https://github.com/snyk/zip-slip-vulnerability#affected-libraries) -- Include a validation that throws an exception when vulnerabilities is included, like in the example below: - -```java - StringcanonicalDestinationDirPath=destinationDir.getCanonicalPath(); - Filedestinationfile=newFile(destinationDir,e.getName()); - StringcanonicalDestinationFile=destinationfile.getCanonicalPath(); - if(!canonicalDestinationFile.startsWith(canonicalDestinationDirPath+File.separator)){ - throw new ArchiverException("Entry is outside of the target dir: " + e.getName()); - } -``` #### ZIP Bombs @@ -188,5 +194,4 @@ Fully protecting against malicious file upload can be complex, and the exact ste - [How to Tell if a File is Malicious](https://web.archive.org/web/20210710090809/https://www.techsupportalert.com/content/how-tell-if-file-malicious.htm) - [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) - [Implementing Secure File Upload](https://infosecauditor.wordpress.com/tag/malicious-file-upload/) -- [Metasploit Generating Payloads](https://www.offensive-security.com/metasploit-unleashed/Generating_Payloads) -- [ZIP Slip](https://res.cloudinary.com/snyk/image/upload/v1528192501/zip-slip-vulnerability/technical-whitepaper.pdf) +- [Metasploit Generating Payloads](https://www.offensive-security.com/metasploit-unleashed/Generating_Payloads) \ No newline at end of file From aa51ee5d202942a2b739e84f7fcc86ade21f1397 Mon Sep 17 00:00:00 2001 From: doverh Date: Tue, 23 Apr 2024 16:02:36 -0400 Subject: [PATCH 11/32] Fix md --- .../09-Test_Upload_of_Malicious_Files.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index e73fe3abd9..37f1d7fcd3 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -119,11 +119,11 @@ Additional testing techniques: 4. Create a traversed file that matches a local or remote directory: touch ../../../../../../../../tmp/traversed 5. Open this file and a message to echo (executing this file should echo this message): - echo "Your message here" + echo 'Your message here' 6. Create the zip file: - zip -r + zip -r 'zip file name' 'directory name 7. Validate files compressed - jar -tvf + jar -tvf 'zip file name' 8. Load this zip file in the target application. 9. Verify that the two files are located within different folders on the web server after the archive has been extracted. From 264f59945c14964dfd6b79302f8feee361b99169 Mon Sep 17 00:00:00 2001 From: doverh Date: Tue, 23 Apr 2024 16:05:22 -0400 Subject: [PATCH 12/32] Fix md ZIP --- .../09-Test_Upload_of_Malicious_Files.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 37f1d7fcd3..04b578bcd0 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -120,11 +120,11 @@ Additional testing techniques: touch ../../../../../../../../tmp/traversed 5. Open this file and a message to echo (executing this file should echo this message): echo 'Your message here' - 6. Create the zip file: - zip -r 'zip file name' 'directory name + 6. Create the ZIP file: + ZIP -r 'ZIP filename' 'directory name 7. Validate files compressed - jar -tvf 'zip file name' - 8. Load this zip file in the target application. + jar -tvf 'ZIP filename' + 8. Load this ZIP file in the target application. 9. Verify that the two files are located within different folders on the web server after the archive has been extracted. - Include a unit test to upload an infected compressed file then execute the extraction method. From 55a532f00a201754d96180a2886e72e7126c0ff9 Mon Sep 17 00:00:00 2001 From: doverh Date: Tue, 23 Apr 2024 16:14:03 -0400 Subject: [PATCH 13/32] Fix md newline --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 04b578bcd0..7eb488bff3 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -194,4 +194,4 @@ Fully protecting against malicious file upload can be complex, and the exact ste - [How to Tell if a File is Malicious](https://web.archive.org/web/20210710090809/https://www.techsupportalert.com/content/how-tell-if-file-malicious.htm) - [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) - [Implementing Secure File Upload](https://infosecauditor.wordpress.com/tag/malicious-file-upload/) -- [Metasploit Generating Payloads](https://www.offensive-security.com/metasploit-unleashed/Generating_Payloads) \ No newline at end of file +- [Metasploit Generating Payloads](https://www.offensive-security.com/metasploit-unleashed/Generating_Payloads) From 94c0ab9577ead1b6dc0ccd94601758a083c39609 Mon Sep 17 00:00:00 2001 From: doverh Date: Tue, 23 Apr 2024 18:44:04 -0400 Subject: [PATCH 14/32] Fix add inline code fences --- .../09-Test_Upload_of_Malicious_Files.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 7eb488bff3..a496cfc5cb 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -22,7 +22,7 @@ A common example of this vulnerability is an application such as a blog or forum - Identify the file upload functionality. - Review the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious. - - If documentation is not available then consider what would be appropriate based on the purpose of the application. + - If documentation is not available then consider what would be appropriate based on the purpose of the application. - Determine how the uploaded files are processed. - Obtain or create a set of malicious files for testing. - Try to upload the malicious files to the application and determine whether it is accepted and processed. @@ -112,18 +112,18 @@ Additional testing techniques: - Upload a malicious ZIP file and try to remote access this file when upload is completed. 1. Open a new terminal and create a new folder: - mkdir ZipFiles + 'mkdir ' 2. Create a base file: - touch base.txt + 'touch base.txt' 3. Open this file, add a simple note and save it. 4. Create a traversed file that matches a local or remote directory: - touch ../../../../../../../../tmp/traversed + 'touch ../../../../../../../../tmp/traversed' 5. Open this file and a message to echo (executing this file should echo this message): echo 'Your message here' 6. Create the ZIP file: - ZIP -r 'ZIP filename' 'directory name + 'zip -r ' 7. Validate files compressed - jar -tvf 'ZIP filename' + 'jar -tvf ' 8. Load this ZIP file in the target application. 9. Verify that the two files are located within different folders on the web server after the archive has been extracted. From 89874e6b4c3d8665f761e66483c0c7b6458e1953 Mon Sep 17 00:00:00 2001 From: doverh Date: Tue, 23 Apr 2024 18:52:26 -0400 Subject: [PATCH 15/32] Fix zip md --- .../09-Test_Upload_of_Malicious_Files.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index a496cfc5cb..e045206164 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -112,7 +112,7 @@ Additional testing techniques: - Upload a malicious ZIP file and try to remote access this file when upload is completed. 1. Open a new terminal and create a new folder: - 'mkdir ' + 'mkdir ' 2. Create a base file: 'touch base.txt' 3. Open this file, add a simple note and save it. @@ -121,9 +121,9 @@ Additional testing techniques: 5. Open this file and a message to echo (executing this file should echo this message): echo 'Your message here' 6. Create the ZIP file: - 'zip -r ' + 'ZIP -r ' 7. Validate files compressed - 'jar -tvf ' + 'jar -tvf ' 8. Load this ZIP file in the target application. 9. Verify that the two files are located within different folders on the web server after the archive has been extracted. From 88d8147a605fe9e5c775a8de92de044a3b7d3812 Mon Sep 17 00:00:00 2001 From: doverh Date: Tue, 23 Apr 2024 18:54:40 -0400 Subject: [PATCH 16/32] Fix inline indentation --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index e045206164..3fb7cd8483 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -22,7 +22,7 @@ A common example of this vulnerability is an application such as a blog or forum - Identify the file upload functionality. - Review the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious. - - If documentation is not available then consider what would be appropriate based on the purpose of the application. + - If documentation is not available then consider what would be appropriate based on the purpose of the application. - Determine how the uploaded files are processed. - Obtain or create a set of malicious files for testing. - Try to upload the malicious files to the application and determine whether it is accepted and processed. From 3ddede0ffa23a9da921cbbd252d8570545f56c90 Mon Sep 17 00:00:00 2001 From: Rick M Date: Tue, 23 Apr 2024 19:16:26 -0400 Subject: [PATCH 17/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 3fb7cd8483..caea463b73 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -99,7 +99,7 @@ A test against Archive Directory Traversal should include two parts: 2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerabilities exist when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: ```java - Enumerationentries=​​zip​.g​etEntries(); + Enumeration entries =​ ​zip​.g​etEntries(); while(entries​.h​asMoreElements()){ ZipEntry e ​= ​entries.nextElement(); File f = new File(destinationDir, e.getName()); From 7d4c20e143b952eba0bd3065d5677d32c4ca37f7 Mon Sep 17 00:00:00 2001 From: Rick M Date: Tue, 23 Apr 2024 19:16:31 -0400 Subject: [PATCH 18/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index caea463b73..57919b490e 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -121,7 +121,7 @@ Additional testing techniques: 5. Open this file and a message to echo (executing this file should echo this message): echo 'Your message here' 6. Create the ZIP file: - 'ZIP -r ' + 'zip -r ' 7. Validate files compressed 'jar -tvf ' 8. Load this ZIP file in the target application. From bf9839658687a40e015916ee649fed657e51c6dc Mon Sep 17 00:00:00 2001 From: Rick M Date: Tue, 23 Apr 2024 19:18:57 -0400 Subject: [PATCH 19/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 57919b490e..4ed9219a51 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -123,7 +123,7 @@ Additional testing techniques: 6. Create the ZIP file: 'zip -r ' 7. Validate files compressed - 'jar -tvf ' + `jar -tvf ` 8. Load this ZIP file in the target application. 9. Verify that the two files are located within different folders on the web server after the archive has been extracted. From 344306d91770733ed28f00bd4cc3b6eeea180f61 Mon Sep 17 00:00:00 2001 From: Rick M Date: Tue, 23 Apr 2024 19:19:10 -0400 Subject: [PATCH 20/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 4ed9219a51..d59efe943c 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -121,7 +121,7 @@ Additional testing techniques: 5. Open this file and a message to echo (executing this file should echo this message): echo 'Your message here' 6. Create the ZIP file: - 'zip -r ' + `zip -r ` 7. Validate files compressed `jar -tvf ` 8. Load this ZIP file in the target application. From 2a1fda6e732f0813966815bc4060dded4ad72371 Mon Sep 17 00:00:00 2001 From: Rick M Date: Tue, 23 Apr 2024 19:19:24 -0400 Subject: [PATCH 21/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index d59efe943c..ce535e7d0c 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -112,7 +112,7 @@ Additional testing techniques: - Upload a malicious ZIP file and try to remote access this file when upload is completed. 1. Open a new terminal and create a new folder: - 'mkdir ' + `mkdir ` 2. Create a base file: 'touch base.txt' 3. Open this file, add a simple note and save it. From 2ad237c216109312c9e777e7c51f55eaa6503ed6 Mon Sep 17 00:00:00 2001 From: Rick M Date: Tue, 23 Apr 2024 19:19:42 -0400 Subject: [PATCH 22/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index ce535e7d0c..6535512f50 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -114,7 +114,7 @@ Additional testing techniques: 1. Open a new terminal and create a new folder: `mkdir ` 2. Create a base file: - 'touch base.txt' + `touch base.txt` 3. Open this file, add a simple note and save it. 4. Create a traversed file that matches a local or remote directory: 'touch ../../../../../../../../tmp/traversed' From e55eee7c04dec57d9a631f49f831da5daa39fdfe Mon Sep 17 00:00:00 2001 From: Rick M Date: Tue, 23 Apr 2024 19:20:13 -0400 Subject: [PATCH 23/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 6535512f50..1b5ab95328 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -117,7 +117,7 @@ Additional testing techniques: `touch base.txt` 3. Open this file, add a simple note and save it. 4. Create a traversed file that matches a local or remote directory: - 'touch ../../../../../../../../tmp/traversed' + `touch ../../../../../../../../tmp/traversed` 5. Open this file and a message to echo (executing this file should echo this message): echo 'Your message here' 6. Create the ZIP file: From d8480256f0658015fd1de2f6f075c6224eb02e5a Mon Sep 17 00:00:00 2001 From: Rick M Date: Tue, 23 Apr 2024 19:21:09 -0400 Subject: [PATCH 24/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 1b5ab95328..942f426ae1 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -119,7 +119,7 @@ Additional testing techniques: 4. Create a traversed file that matches a local or remote directory: `touch ../../../../../../../../tmp/traversed` 5. Open this file and a message to echo (executing this file should echo this message): - echo 'Your message here' + `echo 'Your message here'` 6. Create the ZIP file: `zip -r ` 7. Validate files compressed From 5119eea203fd93031f94430732c0d5dbc6df21e6 Mon Sep 17 00:00:00 2001 From: doverh Date: Wed, 24 Apr 2024 11:48:45 -0400 Subject: [PATCH 25/32] Refactor zip folder steps --- .../09-Test_Upload_of_Malicious_Files.md | 29 +++++++++---------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 942f426ae1..41a5a3fd53 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -111,22 +111,21 @@ A test against Archive Directory Traversal should include two parts: Additional testing techniques: - Upload a malicious ZIP file and try to remote access this file when upload is completed. - 1. Open a new terminal and create a new folder: - `mkdir ` + 1. Open a new terminal and create tree structure: + Note: more or less levels of directories are required depending on how far you need to traverse. + `~$ mkdir -p a/b/c` 2. Create a base file: - `touch base.txt` - 3. Open this file, add a simple note and save it. - 4. Create a traversed file that matches a local or remote directory: - `touch ../../../../../../../../tmp/traversed` - 5. Open this file and a message to echo (executing this file should echo this message): - `echo 'Your message here'` - 6. Create the ZIP file: - `zip -r ` - 7. Validate files compressed - `jar -tvf ` - 8. Load this ZIP file in the target application. - 9. Verify that the two files are located within different folders on the web server after the archive has been extracted. - + `~$ echo base > a/b/c/base` + 3. Create a traversed file: + `~$ echo traversed > traversed` + 4. Validate your tree structure: + `~$ tree` + 5. Navigate to abc root directory: + `~$ cd a/b/c` + 6. Compress files: + `~$ zip test.zip base ../../../traversed` + 7.Verify compressed files content: + `~$ nzip -l test.zip` - Include a unit test to upload an infected compressed file then execute the extraction method. - Validate that libraries being used have been [patched for this vulnerability.](https://github.com/snyk/zip-slip-vulnerability#affected-libraries) From 9e11d2af9450229a51e5997ec0380a8fc71562b6 Mon Sep 17 00:00:00 2001 From: Dover Hellfeldt <25070780+doverh@users.noreply.github.com> Date: Thu, 25 Apr 2024 07:57:12 -0400 Subject: [PATCH 26/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md Co-authored-by: ThunderSon <32433575+ThunderSon@users.noreply.github.com> --- .../09-Test_Upload_of_Malicious_Files.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 41a5a3fd53..5f498f60eb 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -99,13 +99,14 @@ A test against Archive Directory Traversal should include two parts: 2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerabilities exist when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: ```java - Enumeration entries =​ ​zip​.g​etEntries(); - while(entries​.h​asMoreElements()){ - ZipEntry e ​= ​entries.nextElement(); - File f = new File(destinationDir, e.getName()); - InputStream input = zip​.g​etInputStream(e); - IOUtils​.c​opy(input, write(f)); - } +Enumeration entries =​ ​zip​.g​etEntries(); + +while(entries​.h​asMoreElements()){ + ZipEntry e ​= ​entries.nextElement(); + File f = new File(destinationDir, e.getName()); + InputStream input = zip​.g​etInputStream(e); + IOUtils​.c​opy(input, write(f)); +} ``` Additional testing techniques: From 5e0c28a06c608870135124397903825670340edb Mon Sep 17 00:00:00 2001 From: Dover Hellfeldt <25070780+doverh@users.noreply.github.com> Date: Thu, 25 Apr 2024 07:57:53 -0400 Subject: [PATCH 27/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md Co-authored-by: ThunderSon <32433575+ThunderSon@users.noreply.github.com> --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 5f498f60eb..af9f973e18 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -95,7 +95,7 @@ If the application extracts archives (such as ZIP files), then it may be possibl A test against Archive Directory Traversal should include two parts: -1. A malicious archive that breaks out of the target directory when extracted. This malicious archive can contain two files: a 'base' file, extracted into the target directory, and also an 'traversed' file, that attempts to navigate up the directory tree to hit the root folder - adding a file into the tmp directory. A malicious path can contain many levels of '../' (i.e. ../../../../../../../../tmp/traversed) to stand a better chance of reaching the root directory. +1. A malicious archive that breaks out of the target directory when extracted. This malicious archive should contain two files: a `base` file, extracted into the target directory, and a `traversed` file that attempts to navigate up the directory tree to hit the root folder - adding a file into the `tmp` directory. A malicious path will contain many levels of `../` (*i.e.* `../../../../../../../../tmp/traversed`) to stand a better chance of reaching the root directory. Once the attack is successful, the tester can find `/tmp/traversed` to be created on the webserver through the ZIP slip attack. 2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerabilities exist when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: ```java From 50ea0166895789a6dc74a761159433e68879604c Mon Sep 17 00:00:00 2001 From: Dover Hellfeldt <25070780+doverh@users.noreply.github.com> Date: Thu, 25 Apr 2024 07:58:12 -0400 Subject: [PATCH 28/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md Co-authored-by: ThunderSon <32433575+ThunderSon@users.noreply.github.com> --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index af9f973e18..880febba3c 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -96,7 +96,7 @@ If the application extracts archives (such as ZIP files), then it may be possibl A test against Archive Directory Traversal should include two parts: 1. A malicious archive that breaks out of the target directory when extracted. This malicious archive should contain two files: a `base` file, extracted into the target directory, and a `traversed` file that attempts to navigate up the directory tree to hit the root folder - adding a file into the `tmp` directory. A malicious path will contain many levels of `../` (*i.e.* `../../../../../../../../tmp/traversed`) to stand a better chance of reaching the root directory. Once the attack is successful, the tester can find `/tmp/traversed` to be created on the webserver through the ZIP slip attack. -2. A functionality, that is required to extract compressed files, either using custom code or a library. Archive Directory Traversal vulnerabilities exist when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: +2. Logic that extracts compressed files either using custom code or a library. Archive Directory Traversal vulnerabilities exist when the extraction functionality doesn’t validate file paths in the archive. The example below shows a vulnerable implementation in Java: ```java Enumeration entries =​ ​zip​.g​etEntries(); From 24bd894c7c582ef24b24c97d141c1d3bb9f37241 Mon Sep 17 00:00:00 2001 From: Dover Hellfeldt <25070780+doverh@users.noreply.github.com> Date: Thu, 25 Apr 2024 07:58:25 -0400 Subject: [PATCH 29/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md Co-authored-by: ThunderSon <32433575+ThunderSon@users.noreply.github.com> --- .../09-Test_Upload_of_Malicious_Files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 880febba3c..287d6e2d5f 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -109,7 +109,7 @@ while(entries​.h​asMoreElements()){ } ``` -Additional testing techniques: +Follow the steps below to create a ZIP file that can abuse the vulnerable code above once its uploaded to the web server: - Upload a malicious ZIP file and try to remote access this file when upload is completed. 1. Open a new terminal and create tree structure: From 734936f0801867f82538640bff7ae4e0fe113d3b Mon Sep 17 00:00:00 2001 From: Dover Hellfeldt <25070780+doverh@users.noreply.github.com> Date: Thu, 25 Apr 2024 07:58:33 -0400 Subject: [PATCH 30/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md Co-authored-by: ThunderSon <32433575+ThunderSon@users.noreply.github.com> --- .../09-Test_Upload_of_Malicious_Files.md | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 287d6e2d5f..2d2878dc1a 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -111,22 +111,21 @@ while(entries​.h​asMoreElements()){ Follow the steps below to create a ZIP file that can abuse the vulnerable code above once its uploaded to the web server: -- Upload a malicious ZIP file and try to remote access this file when upload is completed. - 1. Open a new terminal and create tree structure: - Note: more or less levels of directories are required depending on how far you need to traverse. - `~$ mkdir -p a/b/c` - 2. Create a base file: - `~$ echo base > a/b/c/base` - 3. Create a traversed file: - `~$ echo traversed > traversed` - 4. Validate your tree structure: - `~$ tree` - 5. Navigate to abc root directory: - `~$ cd a/b/c` - 6. Compress files: - `~$ zip test.zip base ../../../traversed` - 7.Verify compressed files content: - `~$ nzip -l test.zip` +```bash +# Open a new terminal and create a tree structure +# (more directory levels might be required based on the system being targeted) +mkdir -p a/b/c +# Create a base file +echo 'base' > a/b/c/base +# Create a traversed file +echo 'traversed' > traversed +# You can double check the tree structure using `tree` at this stage +# Navigate to a/b/c root directory +cd a/b/c +# Compress the files +zip test.zip base ../../../traversed +# Verify compressed files content +nzip -l test.zip - Include a unit test to upload an infected compressed file then execute the extraction method. - Validate that libraries being used have been [patched for this vulnerability.](https://github.com/snyk/zip-slip-vulnerability#affected-libraries) From 9a2e715d4433ddc56326561a2631a6f2f244d91d Mon Sep 17 00:00:00 2001 From: Dover Hellfeldt <25070780+doverh@users.noreply.github.com> Date: Thu, 25 Apr 2024 07:59:58 -0400 Subject: [PATCH 31/32] Update document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md Co-authored-by: ThunderSon <32433575+ThunderSon@users.noreply.github.com> --- .../09-Test_Upload_of_Malicious_Files.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 2d2878dc1a..59134a3299 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -126,8 +126,6 @@ cd a/b/c zip test.zip base ../../../traversed # Verify compressed files content nzip -l test.zip -- Include a unit test to upload an infected compressed file then execute the extraction method. -- Validate that libraries being used have been [patched for this vulnerability.](https://github.com/snyk/zip-slip-vulnerability#affected-libraries) #### ZIP Bombs From e9c8e0d51a46d124c2d05861ef8b43aad97f2ff0 Mon Sep 17 00:00:00 2001 From: doverh Date: Thu, 25 Apr 2024 21:26:27 -0400 Subject: [PATCH 32/32] Close block code --- .../09-Test_Upload_of_Malicious_Files.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md index 59134a3299..5d7c16a3ae 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md @@ -125,7 +125,8 @@ cd a/b/c # Compress the files zip test.zip base ../../../traversed # Verify compressed files content -nzip -l test.zip +unzip -l test.zip +``` #### ZIP Bombs