CAPEC-11 - Cause Web Server Misclassification

An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process.

This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 2
  • Injection
  • Modification of Resources
  • Purposes 1
  • Reconnaissance
  • Scopes 2
  • Read application data
  • Read memory
  • Confidentiality
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: To modify file name or file extension

Medium level: To use misclassification to force the Web server to disclose configuration information, source, or binary data

Web server software must rely on file name or file extension for processing.

Ability to execute HTTP request to Web server

Step 1 - Footprint file input vectors

Manually or using an automated tool, an attacker searches for all input locations where a user has control over the filenames or MIME types of files submitted to the web server..

Tecnique ID: 1 - Environment(s) env-Web

Attacker manually crawls application to identify file inputs

Tecnique ID: 2 - Environment(s) env-Web

Attacker uses an automated tool to crawl application identify file inputs

Tecnique ID: 3 - Environment(s) env-Web

Attacker manually assesses strength of access control protecting native application files from user control

Tecnique ID: 4 - Environment(s) env-Web

Attacker explores potential for submitting files directly to the web server via independently constructed HTTP Requests

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

Application submits files under user control to the web server

Indicator ID: 2 - Environment(s) env-Web

Type: Negative

Application does not submit files under user control to the web server

Indicator ID: 3 - Environment(s) env-Web

Type: Negative

Application strictly protects all native application files from user control


Outcome ID: 1

Type: Success

User-controllable files are identified



Step 1 - File misclassification shotgunning

An attacker makes changes to file extensions and MIME types typically processed by web servers and looks for abnormal behavior..

Tecnique ID: 1 - Environment(s) env-Web

Attacker submits files with switched extensions (e.g. .php on a .jsp file) to web server.

Tecnique ID: 2 - Environment(s) env-Web

Attacker adds extra characters (e.g. adding an extra . after the file extension) to filenames of files submitted to web server.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

The web server uses the wrong handler to execute the file, as expected by the attacker.

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

No result from the web server.

Indicator ID: 3 - Environment(s) env-Web

Type: Negative

The web server ignore the manipulation and process the request has it should have been.


Security Control ID: 2

Type: Detective

Monitor web server logs for excessive file processing errors

Security Control ID: 3

Type: Preventative

Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing.


Outcome ID: 1

Type: Success

Web server exhibits unexpected behavior.


Step 2 - File misclassification sniping

Understanding how certain file types are processed by web servers, an attacker crafts varying file payloads and modifies their file extension or MIME type to be that of the targeted type to see if the web server is vulnerable to misclassification of that type..

Tecnique ID: 1 - Environment(s) env-Web

Craft a malicious file payload, modify file extension to the targeted file type and submit it to the web server.

Tecnique ID: 2 - Environment(s) env-Web

Craft a malicious file payload, modify its associated MIME type to the targeted file type and submit it to the web server.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

The web server uses the wrong handler to execute the file, as expected by the attacker.

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

No result from the web server.

Indicator ID: 3 - Environment(s) env-Web

Type: Negative

The web server ignore the manipulation and process the request has it should have been.


Security Control ID: 1

Type: Detective

Monitor web server logs for excessive file processing errors

Security Control ID: 2

Type: Preventative

Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing.


Outcome ID: 1

Type: Success

Attacker's payload is acted on by web server.

Outcome ID: 2

Type: Failure

The attacker cannot get the web server to misclassify a file.



Step 1 - Disclose information

The attacker, by manipulating a file extension or MIME type is able to make the web server return raw information (not executed)..

Tecnique ID: 1 - Environment(s) env-Web

Manipulate the file names that are explicitly sent to the server.

Tecnique ID: 2 - Environment(s) env-Web

Manipulate the MIME sent in order to confuse the web server.

Security Control ID: 1

Type: Preventative

Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing.


Outcome ID: 1

Type: Success

The attacker gets the information from the server



Implementation: Server routines should be determined by content not determined by filename or file extension.