sniffing - Dave's Blog

Search
My timeline on Mastodon

Stripe CTF - Input validation (Levels 1 & 2)

2012 Sep 6, 5:00

Stripe's web security CTF's Level 1 and level 2 of the Stripe CTF had issues with missing input validation solutions described below.

Level 1

Code

          $filename = 'secret-combination.txt';
extract($_GET);
if (isset($attempt)) {
$combination = trim(file_get_contents($filename));
if ($attempt === $combination) {

Issue

The issue here is the usage of the extract php method which extracts name value pairs from the map input parameter and creates corresponding local variables. However this code uses $_GET which contains a map of name value pairs passed in the query of the URI. The expected behavior is to get an attempt variable out, but since no input validation is done I can provide a filename variable and overwrite the value of $filename. Providing an empty string gives an empty string $combination which I can match with an empty string $attempt. So without knowing the combination I can get past the combination check.

Notes

Code review red flag in this case was the direct use of $_GET with no validation. Instead of using extract the developer could try to extract specifically the attempt variable manually without using extract.

Level 2

Code

    $dest_dir = "uploads/";
$dest = $dest_dir . basename($_FILES["dispic"]["name"]);
$src = $_FILES["dispic"]["tmp_name"];
if (move_uploaded_file($src, $dest)) {
$_SESSION["dispic_url"] = $dest;
chmod($dest, 0644);
echo "

Successfully uploaded your display picture.

";
}

Issue

This code accepts POST uploads of images but with no validation to ensure it is not an arbitrary file. And even though it uses chmod to ensure the file is not executable, things like PHP don't require a file to be executable in order to run them. Accordingly, one can upload a PHP script, then navigate to that script to run it. My PHP script dumped out the contents of the file we're interested in for this level:

Notes

Code review red flags include manual file management, chmod, and use of file and filename inputs without any kind of validation. If this code controlled the filename and ensured that the extension was one of a set of image extensions, this would solve this issue. Due to browser mime sniffing its additionally a good idea to serve a content-type that starts with "image/" for these uploads to ensure browsers treat these as images and not sniff for script or HTML.

PermalinkCommentsinput-validation php security technical

Internet Media Types and the Web

2010 Sep 30, 2:48A surprisingly readable and delightfully accurate summary of the history of MIME in the web followed by proposed next steps. Sounds like a plan to me! "We need a realistic transition plan from the unreliable web to the more reliable one. Part of this is to encourage senders (web servers) to mean what they say, and encourage recipients (browsers) to give preference to what the senders are sending."PermalinkCommentsmime contenttype browser web ietf reference history mimetype mime-sniffing sniffing technical

WPAD Server Fiddler Extension

2010 Jan 5, 7:42

I've made a WPAD server Fiddler extension and in a fit of creativity I've named it: WPAD Server Fiddler Extension.

Of course you know about Fiddler, Eric's awesome HTTP debugger tool, the HTTP proxy that lets you inspect, visualize and modify the HTTP traffic that flows through it. And on the subject you've probably definitely heard of WPAD, the Web Proxy Auto Discovery protocol that allows web browsers like IE to use DHCP or DNS to automatically discover HTTP proxies on their network. While working on a particularly nasty WPAD bug towards the end of IE8 I really wished I had a way to see the WPAD requests and responses and modify PAC responses in Fiddler. Well the wishes of me of the past are now fulfilled by present day me as this Fiddler extension will respond to WPAD DHCP requests telling those clients (by default) that Fiddler is their proxy.

When I started working on this project I didn't really understand how DHCP worked especially with respect to WPAD. I won't bore you with my misconceptions: it works by having your one DHCP server on your network respond to regular DHCP requests as well as WPAD DHCP requests. And Windows I've found runs a DHCP client service (you can start/stop it via Start|Run|'services.msc', scroll to DHCP Client or via the command line with "net start/stop 'DHCP Client'") that caches DHCP server responses making it just slightly more difficult to test and debug my extension. If a Windows app uses the DHCP client APIs to ask for the WPAD option, this service will send out a DHCP request and take the first DHCP server response it gets. That means that if you're on a network with a DHCP server, my extension will be racing to respond to the client. If the DHCP server wins then the client ignores the WPAD response from my extension.

Various documents and tools I found useful while working on this:

PermalinkCommentsproxy fiddler http technical debug wpad pac tool dhcp

mimesniff - Project Hosting on Google Code

2009 Sep 30, 5:16Open source implementation of the mime sniffing standard that fell out of HTML5.PermalinkCommentshtml5 mime mime-sniffing mimetype opensource open-source technical library google

The WHATWG Blog » Blog Archive » Sniffing for RSS 1.0 feeds served as text/html

2009 Sep 29, 10:54How Firefox and IE7&8 perform feed sniffingPermalinkCommentsrss feed atom mime mime-sniffing sniffing mimetype web browser html5 technical

Content-Type Processing Model

2009 Jun 22, 3:12HTML5's mime-sniffing is getting moved to an IETF doc: "Many web servers supply incorrect Content-Type headers with their HTTP responses. In order to be compatible with these servers, user agents must consider the content of HTTP responses as well as the Content-Type header when determining the effective media type of the response. This document describes an algorithm for determining the effective media type of HTTP responses that balances security and compatibility considerations."PermalinkCommentsmime mime-sniffing ietf http w3c html5 technical

Michael(tm) Smith - WebKit destined to get its own content sniffer

2009 Jun 22, 3:09"Web/browser-security maven and coder Adam Barth has been working on implementing a content sniffer in WebKit, based on a content-sniffing algorithm that was originally specified in the HTML5 draft, but that's now specified as a separate IETF draft that Adam is editing and that's titled, Content-Type Processing Model."PermalinkCommentsmime mime-sniffing webkit http technical

Secure Content Sniffing for Web Browsers or How to Stop Papers from Reviewing Themselves

2009 Apr 23, 2:22Review of mime sniffing based XSS attacks with recommended protections for both web sites and browsers. Also, surprising to me since I rarely see it in this sort of a paper, thought and stats on the compat. affects of their recommended changes for browsers. Very happy to see that in there!PermalinkCommentsweb security ie browser xss sniff mime firefox chrome safari html html5

Web Security Research- Alex's Corner: HTTP Range & Request-Range Request Headers

2008 May 2, 1:55Avoid sniffing using the HTTP range header: "...if we have an application...which protects against FindMimeFromData XSS attacks by searching the first 256 bytes for certain strings, then we can simply place our strings after the first 256 bytes and get FlPermalinkCommentsvia:swannman http http-header range xss security

bunnie's blog - Blog Archive - Chumby Wifi Sniffer

2008 Apr 8, 1:08"... a version of the chumby that sniffs wifi and renders captured packets onto the display."PermalinkCommentsvia:swannman chumby wifi sniff security sniffing wireless network

MSIE facilitates Cross Site Scripting [splitbrain.org]

2008 Mar 6, 2:22Using IE's mimetype sniffing for XSS attacks.PermalinkCommentsmime http sniffing sniff security browser ie ie7 pdf
Older Entries Creative Commons License Some rights reserved.