My Pentest Log -13- (Bypass Renaming on File Upload)
Greetings from the Hippodrome everyone,
Today, I would like to inform you about the vulnerability I encountered in the file upload area during private mobile app tests.
1. I was informed by our project manager that I will perform private mobile app tests.
2. After verifying the scope form for the relevant application, I started the necessary security testing steps.
3. I have detected vulnerabilities at various levels, but the scenario that motivated me the most was the scenario I encountered in the file upload area.
4. File upload areas are very important in the field of application security, what is the reason for this?
First of all, what is file upload? It should start with:
File upload areas are the areas where we can upload files in certain formats on the application we use, in accordance with the specified permissions.
Why is it used? Is it necessary?
In fact, this question varies according to the structure of the application, for example, in a chat application it is used for users to see and interact with each other more, while it is used to verify the user in stock market applications, and in some applications it is used only to increase the interaction between the user and the application. The list can go on and on, so the requirement depends on the nature of the application.
So why is it important for security?
File upload areas are the primary areas where we can contact the storage units of the relevant application. From this point of view, if you want to try attack vectors such as shell connection, data leak, access to the server on an application, the first point that will come to your mind will be the file upload areas, because the hardening of the file upload areas is not only about the security in the code block, but also the related storage directories on the system side. Security rules need to be implemented well, so ensuring the security of file upload areas is a somewhat tedious and time-consuming process.
5. Returning to our topic, there was a file upload area that I encountered during the private app application. There were various levels of security measures in this file upload area, one of them being the security rules that change the file name with a certain random mechanism and then rename it and do not reveal the directory it was uploaded to.
6. However, there was one point that caught my attention. While uploading a file via the relevant address, the file name was automatically changed with the method I mentioned above and our file was uploaded to the designated storage area of the application.
7. At this point, I wonder if we could get past the “auto-generator file name” mechanism if we intercepted the relevant file name before it is forwarded to the storage area and changed the name as per our request and sent it?
8. Just as I expected, when I intervened with the proxy during the upload phase of the file and changed the name assigned by the application and sent it according to my request, I found that the application uploaded the file to the server with the name I specified.
9. In this way, I was able to detect where my file was uploaded on the application with a little search-and-find logic.
You can detect various levels of security vulnerabilities by carefully examining the best practices implemented in file upload areas and investigating whether they are implemented during tests.