mime - Dave's Blog

Search
My timeline on Mastodon

Stripe CTF - Input validation (Levels 1 & 2)

2012 Sep 6, 5:00

Stripe's web security CTF's Level 1 and level 2 of the Stripe CTF had issues with missing input validation solutions described below.

Level 1

Code

          $filename = 'secret-combination.txt';
extract($_GET);
if (isset($attempt)) {
$combination = trim(file_get_contents($filename));
if ($attempt === $combination) {

Issue

The issue here is the usage of the extract php method which extracts name value pairs from the map input parameter and creates corresponding local variables. However this code uses $_GET which contains a map of name value pairs passed in the query of the URI. The expected behavior is to get an attempt variable out, but since no input validation is done I can provide a filename variable and overwrite the value of $filename. Providing an empty string gives an empty string $combination which I can match with an empty string $attempt. So without knowing the combination I can get past the combination check.

Notes

Code review red flag in this case was the direct use of $_GET with no validation. Instead of using extract the developer could try to extract specifically the attempt variable manually without using extract.

Level 2

Code

    $dest_dir = "uploads/";
$dest = $dest_dir . basename($_FILES["dispic"]["name"]);
$src = $_FILES["dispic"]["tmp_name"];
if (move_uploaded_file($src, $dest)) {
$_SESSION["dispic_url"] = $dest;
chmod($dest, 0644);
echo "

Successfully uploaded your display picture.

";
}

Issue

This code accepts POST uploads of images but with no validation to ensure it is not an arbitrary file. And even though it uses chmod to ensure the file is not executable, things like PHP don't require a file to be executable in order to run them. Accordingly, one can upload a PHP script, then navigate to that script to run it. My PHP script dumped out the contents of the file we're interested in for this level:

Notes

Code review red flags include manual file management, chmod, and use of file and filename inputs without any kind of validation. If this code controlled the filename and ensured that the extension was one of a set of image extensions, this would solve this issue. Due to browser mime sniffing its additionally a good idea to serve a content-type that starts with "image/" for these uploads to ensure browsers treat these as images and not sniff for script or HTML.

PermalinkCommentsinput-validation php security technical

"Additional Media Type Structured Syntax Suffixes" - Tony Hansen

2012 Apr 26, 3:15

This document defines several Structured Syntax Suffixes for use with media type registrations. In particular, it defines and registers the “+json”, “+ber”, “+der”, “+fastinfoset”, “+wbxml” and “+zip” Structured Syntax Suffixes, and updates the “+xml” Structured Syntax Suffix registration.

PermalinkCommentstechnical json mime ietf rfc standard

"JSON Patch" - Paul Bryan

2011 Nov 17, 1:06

Mime-type for describing the difference between two JSON resources (in JSON using JSON paths)

PermalinkCommentstechnical mime mime-type json ietf

"The application/opensearchdescription xml media type" - Frank Ellermann

2011 Nov 14, 1:26PermalinkCommentstechnical mime mime-type opensearch xml ietf

URI Fragment Identifiers for the text/csv Media Type

2011 Apr 29, 3:55This memo defines URI fragment identifiers for text/csv MIME entities. These fragment identifiers make it possible to refer to parts of a text/csv MIME entity, identified by cell, row, column, or slice.PermalinkCommentscsv uri technical mime reference

pbryan-json-patch - A JSON Media Type for Describing Partial Modifications to JSON Documents

2011 Apr 20, 2:27"JSON (JavaScript Object Notation) Patch defines the media type "application/patch+json", a JSON-based document structure for specifying partial modifications to apply to a JSON document."PermalinkCommentsjson reference patch mime mimetype technical

Internet Media Types and the Web

2010 Sep 30, 2:48A surprisingly readable and delightfully accurate summary of the history of MIME in the web followed by proposed next steps. Sounds like a plan to me! "We need a realistic transition plan from the unreliable web to the more reliable one. Part of this is to encourage senders (web servers) to mean what they say, and encourage recipients (browsers) to give preference to what the senders are sending."PermalinkCommentsmime contenttype browser web ietf reference history mimetype mime-sniffing sniffing technical

RFC 5987 - Character Set and Language Encoding for Hypertext Transfer Protocol (HTTP) Header Field Parameters

2010 Aug 13, 11:47Other characters sets for HTTP headers: "By default, message header field parameters in Hypertext Transfer Protocol (HTTP) messages cannot carry characters outside the ISO-8859-1 character set. RFC 2231 defines an encoding mechanism for use in Multipurpose Internet Mail Extensions (MIME) headers. This document specifies an encoding suitable for use in HTTP header fields that is compatible with a profile of the encoding defined in RFC 2231."PermalinkCommentsrfc language localization charset http technical reference http-header

RFC 4627 - The application/json Media Type for JavaScript Object Notation (JSON)

2010 Mar 31, 7:59Defines the mime type for JSON as well as JSON itself.PermalinkCommentstechnical json mimetype mime javascript ietf rfc specification

The WHATWG Blog » Blog Archive » What’s next in HTML, episode 2: who’s been peeing in my sandbox?

2010 Jan 26, 2:00The sandbox attribute for the iframe element sounds like a big pit of issues. Includes a new mime type text/html-sandbox to put on content that shouldn't be rendered as html in browsers that don't support the sandbox attribute.PermalinkCommentshtml html5 sandbox security web browser iframe mime mimetype html-sandbox technical

View PDFs on Android

2010 Jan 10, 4:07

Irritatingly, my G1 won't show me PDFs so I've made the Google Docs PDF viewer which will load PDFs on the web up in Google Docs. Google Docs has the useful ability to display PDFs in web browsers without any Adobe software and works (mostly) on Android.

This was very easy to put together as an Android activity. First its necessary to register the application as handling PDFs from the web. This is done via the intent-filter declaration in the manifest:

   intent-filter
      action android:name="android.intent.action.VIEW"/
      data android:scheme="http" android:mimeType="application/pdf"/
      category android:name="android.intent.category.DEFAULT"/
      category android:name="android.intent.category.BROWSABLE"/
   /intent-filter
The action part says my activity will view PDFs, the data part says it accepts data with the PDF mime-type and with a URL that has an HTTP scheme. The browsable category is necessary to allow links from a browser to open this activity.

Second, the activity opens up the browser to Google Docs pointing to the PDF.

   Intent intent = new Intent();
   intent.setAction(getIntent().getAction());
   intent.setData(Uri.parse(
    "http://docs.google.com/gview?embedded=true&url=" + 
    percentEncodeForQuery(getIntent().getData().toString())));

   startActivity(intent);
This is very simple code to invoke a new intent browsing to a newly constructed URL for the PDF in Google Docs. That was easy.PermalinkCommentsgoogle docs technical g1 code activity programming android google pdf

mimesniff - Project Hosting on Google Code

2009 Sep 30, 5:16Open source implementation of the mime sniffing standard that fell out of HTML5.PermalinkCommentshtml5 mime mime-sniffing mimetype opensource open-source technical library google

The WHATWG Blog » Blog Archive » Sniffing for RSS 1.0 feeds served as text/html

2009 Sep 29, 10:54How Firefox and IE7&8 perform feed sniffingPermalinkCommentsrss feed atom mime mime-sniffing sniffing mimetype web browser html5 technical

Sam Ruby: Chromie Don’t Play That

2009 Sep 24, 3:58"Put more constructively, if GCF mentioned application/xhtml+xml AND intercepted it, my site would “just work”. But that wouldn’t be an “opt in”, a concept that Ian Hickson once described as yet another quirks mode switch."PermalinkCommentschrome google web browser extension webbrowser mime xml xhtml technical

RFC 2483 - URI Resolution Services Necessary for URN Resolution

2009 Jul 27, 7:28Includes the text/uri-list mime type!PermalinkCommentstechnical url uri mime reference ietf

Content-Type Processing Model

2009 Jun 22, 3:12HTML5's mime-sniffing is getting moved to an IETF doc: "Many web servers supply incorrect Content-Type headers with their HTTP responses. In order to be compatible with these servers, user agents must consider the content of HTTP responses as well as the Content-Type header when determining the effective media type of the response. This document describes an algorithm for determining the effective media type of HTTP responses that balances security and compatibility considerations."PermalinkCommentsmime mime-sniffing ietf http w3c html5 technical

Michael(tm) Smith - WebKit destined to get its own content sniffer

2009 Jun 22, 3:09"Web/browser-security maven and coder Adam Barth has been working on implementing a content sniffer in WebKit, based on a content-sniffing algorithm that was originally specified in the HTML5 draft, but that's now specified as a separate IETF draft that Adam is editing and that's titled, Content-Type Processing Model."PermalinkCommentsmime mime-sniffing webkit http technical

Secure Content Sniffing for Web Browsers or How to Stop Papers from Reviewing Themselves

2009 Apr 23, 2:22Review of mime sniffing based XSS attacks with recommended protections for both web sites and browsers. Also, surprising to me since I rarely see it in this sort of a paper, thought and stats on the compat. affects of their recommended changes for browsers. Very happy to see that in there!PermalinkCommentsweb security ie browser xss sniff mime firefox chrome safari html html5

Proxy Client Autoconfig File Format

2009 Feb 5, 8:47Copy of the Netscape Navigator document (the original's long gone) describing the Proxy Auto-Config (PAC) file format and mime-type. Its a javascript file with at least one well known function that, given a host, returns a string describing which methods are appropriate for a web browser to connect to that host.PermalinkCommentsjavascript pac proxy http reference netscape navigator

G1 Android Phone

2008 Nov 9, 11:29

T-Mobile G1 Wallpapers by romainguy
I finally replaced my old regular cell-phone which was literally being held together by a rubber band with a fancy new G1, my first Internet accessible phone.

I had to call the T-Mobile support line to get data added to my plan and the person helping me was disconcertingly friendly. She asked about my weekend plans and so I felt compelled to ask her the same. Her plans involved replacing her video card so she could get back to World of Warcraft and do I enjoy computer gaming? I couldn't tell if she was genuine or if she was signing me up for magazines.

I was with Sarah in her new car, trying out the phone's GPS functionality via Google Maps while she drove. I switched to Street View and happened to find my car. It was a weird feeling, kind of like those Google conspiracy videos.

The phone runs Google's open source OS and I really enjoy the application API. Its all in Java and URIs and mime-types are sort of basics. Rather than invoking the builtin item picker control directly you invoke an 'intent' specifying the URI of your list of items, a mime-type describing the type of items in the list, and an action 'PICK' and whatever is registered as the picker on the system pops up and lets the user pick from that list. The same goes if you want to 'EDIT' an image, or 'VIEW' an mp3.

I wanted to replace the Google search box gadget that appears on the home screen with my own search box widget that uses OpenSearch descriptors but apparently in the current API you can't make home screen gadgets without changing parts of the OS. My other desired application is something to replace this GPS photo tracker device by recording my location to a file and an additional program on my computer to apply those locations to photos.

PermalinkCommentstmobile personal api phone technical g1 android google
Older Entries Creative Commons License Some rights reserved.