Exploitation of file’s download parameters to create potential risk of malware delivery: $200 bug!

POST request for downloading the list of invoices
  1. csrf_token: The request is vulnerable to CSRF attack. I could remove the token and still the file was downloadable.
  2. filename: The request is vulnerable to extension filter bypass. I could inject an extension that I control to change the nature of file. This was a major attack vector as I could convert the file into executable (.exe for Windows targets and .sh for Linux targets).
  3. data: The request is vulnerable to file data overwrite. I could change the data and when downloaded, the file contained data that I injected as attacker.
Reward on finding at Bugcrowd

--

--

--

Cybersecurity Professional / Researcher from Pakistan

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

#GAMEJET 100X NFT $JET TOKEN PRESALE COMING SOON!

How to encrypt properties with Jasypt

External Farming with LaCucina

ROOT DAO: Multi-sig and Community Nominations

New Listings: MLN, ICE, CHESS, SPELL, ENJ, CHZ

How good is NordVPN? Why I recommend it!

How To Safeguard Your Data In The Business?

This IoT Technology Pretends To Be Something It’s Not

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Muhammad Aamir

Muhammad Aamir

Cybersecurity Professional / Researcher from Pakistan

More from Medium

Understanding Improper Asset Management

5 Use Cases of Kondukto CLI in CI/CD pipelines

Understand SSTI in 3 minutes

[Offensive security] How toconduct server-side request forgery (SSRF)