| Attack Pattern ID | Pattern Abstraction: Standard 11 |
| Typical Severity | High |
| Description | Summary
An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process.
This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack paylod varies, but it could be special characters like a period or simply appending a tag that has a special meanning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.
|
| Attack Prerequisites | Web server software must rely on file name or file extension for processing. |
| Typical Likelihood of Exploit |
Medium
|
| Methods of Attack | - Injection
- Modification of Resources
|
| Examples-Instances | Description
J2EE application servers are supposed to execute Java Server Pages (JSP). There have been disclosure issues relating to Orion Application Server, where an attacker that appends either a period (.) or space characters to the end of a legitimate Http request, then the server displays the full source code in the attacker's web browser.
http://victim.site/login.jsp.
Since remote data and directory access may be accessed directly from the JSP, this is a potentially very serious issue.
Reference http://www.securityfocus.com/bid/17204/info
|
| Attacker Skill or Knowledge Required |
Low → To modify file name or file extension
Medium → To use misclassification to force the Web server to disclose configuration information, source, or binary data
|
| Resources Required |
Ability to execute HTTP request to Web server
|
| Solutions and Mitigations |
Implementation: Server routines should be determined by content not determined by filename or file extension.
|
| Attack Motivation-Consequences | - Information Leakage
- Privilege Escalation
|
| Context Description |
“Attack Pattern: Cause Web Server Misclassification
A very famous set of classification problems occurs when a Web server examines the last few characters of a filename to determine what kind of file it is. There are many ways to take advantage of these kinds of problems-appending certain strings to filenames, adding dots, and so forth."
[Hoglund and McGraw 04]
|
| Injection Vector |
Malicious input delivered through standard Web application calls, e.g. HTTP Request.
|
| Payload |
Varies with instantiation of attack pattern. Malicious payload may alter or append filename or extension to communicate with processes in unexpected order.
|
| Activation Zone |
Client machine and client network
|
| Payload Activation Impact |
Enables attacker to force web server to disclose configuration, source, and data
|
| Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 69 | Failure to Handle Windows ::DATA Alternate Data Stream | Secondary | | 77 | Failure to Sanitize Data into a Control Plane (aka 'Command Injection') | Secondary |
|
| Purpose | Reconnaissance |
| CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | Low | Low |
|
| Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
|
| References |
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.
|
| Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise |
|
