Welcome back, my aspiring cyber warriors!
In general, we can say that the solution to many injection attacks in web applications is "Input Validation". Input validation makes certain that only the type of input that the application was developed to handle is input and not malicious commands or scripts masquerading as data.
Some applications enable or even encourage us to upload a photo, avatar or other representation of ourselves (think Facebook, Twitter, LinkedIn, other social media or your business or school website). What is to keep attackers from simply uploading a malicious script? Usually the answer is to check and validate the type of input before allowing it to be uploaded.
In a previous post, here we were able to upload a malicious shell to the DVWA web site when it didn't do input validation. In this tutorial, we will bypass weak input validation and still upload a malicious script.
Step #1: Start Kali and Burp Suite
To start, fire up your Kali Linux and open the BurpSuite.
Enable BurpSuite to proxy your request and responses from your browser. See my previous BurpSuite post on how to do this with Mozilla.
Step #2: Start OWASP BWA
Now, start the OWASP Broken Web App (BWA) server and go to the DVWA application and login (admin/password).
After logging into the DVWA, go to the lower left button and set the DVWA Security to "medium". Make certain that you have the intercept on in the BurpSuite proxy.
Step #3: Attempt to Upload a Malicious File
Now, click on the upload button. Imagine that this is your LinkedIn page or your Twitter profile. In both cases, you are expected to upload a picture or avatar of yourself.
Note in the screenshot below, the application states "Choose an image to upload: ".
Now, instead of uploading a picture, we instead try to upload a malicious Python script. I have created a file and named it "malicious_python_script.py" and attempted to upload it. You can create any text file, malicious or not, and attempt to upload it.
As you can see below, the application rejected our malicious script because it uses input validation to assure that the upload file is an image file. Can we bypass this input validation?
Step #4: Bypass Input Validation with BurpSuite
Let's go to our BurpSuite and look at the POST that was captured by the intercept. As you can see on lines 19 and 20, it identified the file name and identified the type of file as "text/x-python". Very good, that is correct. The app was designed to only allow pictures to be uploaded and so it rejected our malicious file.
Now, let's go into the intercepted POST and edit it a bit. The input validation took place inside the form on the client-side. Now that we have intercepted it on its way to the server, we can manipulate the code to reflect that it is a "safe" file before sending it on to the server. We can do this by changing the Content-Type in line #20 to "image/jpeg". In this way the server will accept this file, believing that the file is a jpeg file.
Now, in the BurpSuite, forward the POST to the server.
The file is successfully uploaded and our Python script is ready to be executed and do its dirty work!
Summary
In general, input validation is the answer to the problem of injection attacks to web applications and others. In this case, the web application only did input validation at the client side and therefore the attacker can manipulate the POST response in BurpSuite to edit the file type and get the server to accept our malicious content!