An attack of this type exploits a Web server's decision to take action
based on filename or file extension. Because different file types are
handled by different server processes, misclassification may force the Web
server to take unexpected action, or expected actions in an unexpected
sequence. This may cause the server to exhaust resources, supply debug or
system data to the attacker, or bind an attacker to a remote process.
This type of vulnerability has been found in many widely used servers
including IIS, Lotus Domino, and Orion. The attacker's job in this case is
straightforward, standard communication protocols and methods are used and
are generally appended with malicious information at the tail end of an
otherwise legitimate request. The attack payload varies, but it could be
special characters like a period or simply appending a tag that has a
special meaning for operations on the server side like .jsp for a java
application server. The essence of this attack is that the attacker deceives
the server into executing functionality based on the name of the request,
i.e. login.jsp, not the contents.
Attack Execution Flow
Explore
Footprint file input
vectors:
Manually or using an automated tool, an attacker
searches for all input locations where a user has
control over the filenames or MIME types of files
submitted to the web server.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker manually crawls application to
identify file inputs
env-Web
2
Attacker uses an automated tool to crawl
application identify file inputs
env-Web
3
Attacker manually assesses strength of
access control protecting native application files
from user control
env-Web
4
Attacker explores potential for submitting
files directly to the web server via independently
constructed HTTP Requests
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Application submits files under user control
to the web server
env-Web
2
Negative
Application does not submit files under user
control to the web server
env-Web
3
Negative
Application strictly protects all native
application files from user control
env-Web
Outcomes
ID
type
Outcome Description
1
Success
User-controllable files are
identified
Experiment
File misclassification
shotgunning:
An attacker makes changes to file extensions and
MIME types typically processed by web servers and
looks for abnormal behavior.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker submits files with switched
extensions (e.g. .php on a .jsp file) to web
server.
env-Web
2
Attacker adds extra characters (e.g. adding
an extra . after the file extension) to filenames
of files submitted to web server.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
The web server uses the wrong handler to
execute the file, as expected by the
attacker.
env-Web
2
Inconclusive
No result from the web server.
env-Web
3
Negative
The web server ignore the manipulation and
process the request has it should have
been.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Web server exhibits unexpected
behavior.
Security Controls
ID
type
Security Control Description
2
Detective
Monitor web server
logs for excessive file processing
errors
3
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
File misclassification
sniping:
Understanding how certain file types are processed
by web servers, an attacker crafts varying file
payloads and modifies their file extension or MIME
type to be that of the targeted type to see if the
web server is vulnerable to misclassification of
that type.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Craft a malicious file payload, modify file
extension to the targeted file type and submit it
to the web server.
env-Web
2
Craft a malicious file payload, modify its
associated MIME type to the targeted file type and
submit it to the web server.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
The web server uses the wrong handler to
execute the file, as expected by the
attacker.
env-Web
2
Inconclusive
No result from the web server.
env-Web
3
Negative
The web server ignore the manipulation and
process the request has it should have
been.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Attacker's payload is acted on
by web server.
2
Failure
The attacker cannot get the web
server to misclassify a
file.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor web server
logs for excessive file processing
errors
2
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
Exploit
Disclose information:
The attacker, by manipulating a file extension or
MIME type is able to make the web server return raw
information (not executed).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manipulate the file names that are
explicitly sent to the server.
env-Web
2
Manipulate the MIME sent in order to confuse
the web server.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The attacker gets the
information from the server
Security Controls
ID
type
Security Control Description
1
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
Attack Prerequisites
Web server software must rely on file name or file extension for
processing.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Modification of Resources
Examples-Instances
Description
J2EE application servers are supposed to execute Java Server Pages
(JSP). There have been disclosure issues relating to Orion Application
Server, where an attacker that appends either a period (.) or space
characters to the end of a legitimate Http request, then the server
displays the full source code in the attacker's web browser.
http://victim.site/login.jsp.
Since remote data and directory access may be accessed directly from
the JSP, this is a potentially very serious issue.
To use misclassification to force the Web server to disclose
configuration information, source, or binary data
Resources Required
Ability to execute HTTP request to Web server
Solutions and Mitigations
Implementation: Server routines should be determined by content not
determined by filename or file extension.
Attack Motivation-Consequences
Information Leakage
Privilege Escalation
Injection Vector
Malicious input delivered through standard Web application calls, e.g. HTTP
Request.
Payload
Varies with instantiation of attack pattern. Malicious payload may alter or
append filename or extension to communicate with processes in unexpected
order.
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to force web server to disclose configuration, source, and
data
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
