One of the first steps of a black-box penetration testing of a website is mapping its files and directories. And in order to do that, security scanners crawl into the website first, and then try to guess the possible directories and files. These scanners use the response header or body of the page to investigate a valid file or directory. For instance, the header status “404” can be the sign of “File Not Found” and “200” can be the sign of a valid file. Also, the status “403 Forbidden” can be the sign of a valid directory without any index page. However, many websites such as Yahoo, Google, Facebook, Microsoft, and so on do not like to show the “403 Forbidden” errors for a valid directory, and instead, they show a “Page Not found” or another default page to the users. Although this functionality makes the website more user-friendly, it is not good for the scanners at all; as there is no difference between a valid and an invalid directory then.
Therefore, we need something else as a signature to improve the scanners result. And as a solution we can use a “/” as an identifier. In case of requesting a valid directory without adding a slash at the end of it, the web-server will add an slash automatically, and in case of having an invalid directory there will not be any slash at the end of the directory name.
Some examples:
Invalid Directory: http://www.microsoft.com/foobars
Valid Directory: http://www.microsoft.com/test
——–
Invalid Directory: http://code.google.com/foobars
Valid Directory: http://code.google.com/js
——–
Invalid Directory: http://www.facebook.com/foobars
Valid Directory: http://www.facebook.com/admin
——–
Invalid Directory: http://uk.yahoo.com/foobars
Valid Directory: http://uk.yahoo.com/private
——–
Cheers,
Soroush Dalili
Some new methods of bypassing file uploaders protections have been discussed. As an example bypassing by using: trailing spaces and dots, “::$data.”, direct Null char, IIS semi-colon bug, and so on.
Uploading files by using web applications is very common. However, there is always a high risk around this matter. In case of uploading a web-shell file which can be absolutely malicious, an attacker can get the same privilege of access as the web application to the server. In this paper, which is mostly around the Windows-based web applications, some general solutions for protecting against this type of attack have been suggested. Moreover, as a proof of concept, some of the most general protection methods and the way of bypassing them have been discussed.
This article is an educational article to improve the security of the web applications. And, the author of this article (“Soroush Dalili”) does not accept and has no responsibility about the content or usage of this article in any other way. Any other usage of this article except the legal ones is completely prohibited.
Please respect the copyright and mention the name of the author (“Soroush Dalili”) in case of using this article.
Download this article by clicking here. (http://soroush.secproject.com/downloadable/Improve File Uploaders’ Protections.pdf)
Iframe delay in loading the local drives in IE7 and IE8 can cause drive list enumeration!
Proof of Concept is available from this link:
http://plaincipher.com/demo/IE-Drive-Enum-Demo.html
Cheers,
Soroush Dalili
After OWASP updated its Top 10, now I’m very glad to quote this:
The Web Application Security Consortium (WASC) is pleased to announce the long awaited release of the WASC Threat Classification v2.0.
You can read more information from these links: http://projects.webappsec.org/Threat-Classification and http://projects.webappsec.org/f/WASC-TC-v2_0.pdf
Cheers,
Soroush
First of all, Microsoft is one of the best companies which leads us to the better world. But, nothing is free of fault except God!
I’m writing this post as a response to the Microsoft security response in: “http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx”.
They said that “We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.”. Therefore, I realized that this is not a Microsoft IIS hole. So, it should be a feature of IIS 6.0! In my opinion it’s a good feature for the attackers to bypass the web uploaders protection. Now my question is: why have they removed this feature from IIS version 7 and 7.5 then? And why are the others so concerned about this feature and some people added it to their exploits collection?
I think it’s not even a critical bug for IIS, but it is highly critical for most of the web applications.
Besides, Microsoft is so wrong about the default configurations since they said “customers who are using IIS 6.0 in the default don’t need to worry about this issue”. I think they should look at the shared servers default configurations as well as the dedicated ones.
Finally, I think Microsoft should fix this feature as soon as possible to eliminate its risks! And, it is up to the web security researchers and the web penetration testers to decide about the impact of this vulnerability on the web applications.
PS:
You can also look at these links:
- http://www.darknet.org.uk/2009/12/microsoft-iis-semicolon-bug-leaves-servers-vulnerable/
- http://www.esecurityplanet.com/trends/article.php/3855936/article.htm
Twitter
LinkedIn