This attack relies on client side code to access local files and resources
instead of URLs. When the client browser is expecting a URL string, but
instead receives a request for a local file, that execution is likely to
occur in the browser process space with the browser's authority to local
files. The attacker can send the results of this request to the local files
out to a site that they control. This attack may be used to steal sensitive
authentication data (either local or remote), or to gain system profile
information to launch further attacks.
Attack Prerequisites
The victim's software must not differentiate between the location and type
of reference passed the client software, e.g. browser
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
API Abuse
Modification of Resources
Protocol Manipulation
Examples-Instances
Description
J2EE applications frequently use .properties files to store
configuration information including JDBC connections, LDAP connection
strings, proxy information, system passwords and other system metadata
that is valuable to attackers looking to probe the system or bypass
policy enforcement points. When these files are stored in publicly
accessible directories and are allowed to be read by the public user,
then an attacker can list the directory identify a .properties file and
simply load its contents in the browser listing its contents. A standard
Hibernate properties file contains
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
