CAPEC-76: Manipulating Web Input to File System Calls
Manipulating Web Input to File System Calls
Definition in a New
Attack Pattern ID: 76
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Fingerprinting of the operating system: In order to create a valid file injection, the attacker needs to know what the underlying OS is.
Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.
Induce errors to find informative error messages
Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user
Spider web sites for all available links, entry points to the web site.
Manually explore application and inventory all application inputs
Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application
However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.
Then an attacker creates special payloads to bypass this filter:
More information is available — Please select a different filter.
Page Last Updated or Reviewed:
July 31, 2017
Use of the Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy, and the associated references from this website, are subject to the