Home > CAPEC List > CAPEC-73: User-Controlled Filename (Version 2.5)  

CAPEC-73: User-Controlled Filename

 
User-Controlled Filename
Definition in a New Window Definition in a New Window
Attack Pattern ID: 73
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attack of this type involves an attacker inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

+ Attack Prerequisites
  • The victim must trust the name and locale of user controlled filenames.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Modification of Resources
+ Examples-Instances

Description

Phishing attacks rely on a user clicking on links on that are supplied to them by attackers masquerading as a trusted resource such as a bank or online auction site. The end user's email client hosts the supplied resource name in this case via email. The resource name, however may either 1) direct the client browser to a malicious site to steal credentials and/or 2) execute code on the client machine to probe the victim's host system and network environment.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To achieve a redirection and use of less trusted source, an attacker can simply edit data that the host uses to build the filename

Skill or Knowledge Level: Medium

Deploying a malicious "look-a-like" site (such as a site masquerading as a bank or online auction site) that the user enters their authentication data into.

Skill or Knowledge Level: High

Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.

+ Solutions and Mitigations

Design: Use browser technologies that do not allow client side scripting.

Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.

Implementation: Perform input validation for all remote content.

Implementation: Perform output validation for all remote content.

Implementation: Disable scripting languages such as JavaScript in browser

Implementation: Scan dynamically generated content against validation specification

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Availability
Alter execution logic
Confidentiality
Read application data
+ Injection Vector

Payload delivered through user controlled filename.

+ Payload

Command(s) executed directly on host

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Description

Enables attacker to execute server side code with any commands that the program owner has privileges to.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.73.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDate
[R.73.1][REF-2] Cigital, Inc2007-01-01
Modifications
ModifierOrganizationDateCommentsSource
Gunnar PetersonCigital, Inc2007-02-28Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-09Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
CAPEC Content TeamThe MITRE Corporation2014-02-06Updated Attacker_Skills_or_Knowledge_Required, Examples-Instances, Solutions_and_MitigationsInternal

Page Last Updated: May 07, 2014