My Pentest Log -21 — (Content-Type Checks)
Greetings everyone from Porta Platea,
In this article, I would like to inform you about a situation I encountered during the tests I carried out on the file upload area.
1. I received the necessary information for the “private.com” tests to be carried out by our project manager.
2. I verified the “scope form” right after the disclosure process.
3. I completed the discovery steps on the target application and started the security tests.
4. After some vulnerabilities were detected, I started special tests on the file upload area in the application. Why specifically?
File upload areas have a very important place in application security. The reason for this is that a vulnerability may cause harmful files to be uploaded to the server, allowing us to obtain a shell.
5. Based on this, I wanted to perform the last check in my checklist after applying various file upload attacks.
Check name : Content-Type Attacks Checks
Our purpose in this control is to determine whether a blacklist-based or white-list-based security measure is taken on the relevant application. If there is a blacklist based control, it is more likely to be bypassed than a whitelist. If it is whitelist, it should try to overcome with much more advanced techniques. Based on this, I created a detailed list by searching mime-types on google. I collected about 1617 mime-type variants and saved them in a small txt list.
Our aim here is to understand which file formats are accepted and which are not, by testing the mime-types in this list one by one on the content-type header in the file upload area of the relevant application. If the application returns false for all of them, it will most likely have taken a whitelist-based security measure, which will lead us to create attack vectors over accepted formats.
6. By adding the “content-types.txt” file that I created to the intruder via the burp suite software, I started the trial and error process on the “Content-Type” header belonging to the relevant application, and as I guessed, a black list-based control was applied on the application. I found that only certain format files are blocked and the rest can be loaded easily.
7. Starting from here, I was able to successfully load the application by creating a small command output over a content-type that is not controlled by the application and read the output of the command.
8. I finished the day with high motivation by adding the relevant finding and evidence to our safety report.
In summary:
While testing various features on applications, you can detect various vulnerabilities by applying more attack vectors without giving up.
