CAPEC-48 - Passing Local Filenames to Functions That Expect a URL

This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 3
  • API Abuse
  • Modification of Resources
  • Protocol Manipulation
  • Purposes 1
  • Exploitation
  • Scopes 2
  • Read application data
  • Confidentiality
  • Modify application data
  • Integrity

Medium level: Attacker identifies known local files to exploit

The victim's software must not differentiate between the location and type of reference passed the client software, e.g. browser

Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.

Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production.

Design: Use browser technologies that do not allow client side scripting.

Implementation: Perform input validation for all remote content.

Implementation: Perform output validation for all remote content.

Implementation: Disable scripting languages such as JavaScript in browser