Exploitation of file’s download parameters to create potential risk of malware delivery: $200 bug!

POST request for downloading the list of invoices
  1. csrf_token: The request is vulnerable to CSRF attack. I could remove the token and still the file was downloadable.
  2. filename: The request is vulnerable to extension filter bypass. I could inject an extension that I control to change the nature of file. This was a major attack vector as I could convert the file into executable (.exe for Windows targets and .sh for Linux targets).
  3. data: The request is vulnerable to file data overwrite. I could change the data and when downloaded, the file contained data that I injected as attacker.
Reward on finding at Bugcrowd

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Muhammad Aamir

Muhammad Aamir

Cybersecurity Professional / Researcher from Pakistan