Reflected File Download : Discover, Proceed, Remediate

Reflected File Download : Discover, Proceed, Remediate
Attack combining the URL path segments along with web services which are vulnerable to JSONP injection are classed under the Reflected File Download (RFD) attack, where the main target of the JSONP injection is to deliver malware to the end user.

Where to Discover?

Mostly APIs like JSON and JSONP are the real threat to RFD attack, where user information, autocomplete, search box is normally the target areas of the attack. Majority of the modern application is vulnerable to this attack. RFD attacks are usually suspected in proxy requests which can be found using tools like Burp, Zap etc. Apart from JSON and JSONP APIs, RFD can also be possible in Javascript.

How to Proceed?

First, we have to try to observe if there is any callback parameter present on the request.
As there is a callback, try to change it to calc.
If calc is reflected back on the screen its good news. It may be that victim has whitelist of callbacks. So if this is the case we have another parameter that could be reflected. In above example, we can see term parameter. Injecting the following search term:
If double-quote is slashed and there is no encoding for pipe char then we got the attack reflected.
Note: Even there is no callback we should try to inject it. Most of the cases it’s there.
If there is no callback try to inject on a different parameter that is reflected. We have to take into consideration that it should be accessible to anyone not only for you otherwise it would be Self-RFD.

The problem in getting download dialog

We must use HTML5 download attribute to do this if the server doesn't have Content-Disposition: attachment header to force the download. JSON is intercepted as an attachment in IE, which will automatically try to download. 
HTML5 download attribute available in below browsers:
Firefox (we have to do little changes to work)
<a href="" download="setup.bat">Download</a>;
In this example, we just need to click on the link for Chrome and Opera, which will download setup.bat.
Remember: We have to closely observe the returned HTTP code. It must be 200. 403 and 401 will not result in RFD attacks.

Real world example (patched now)

Refer below link for detailed RFD found on Google API.
This one is to show you guys that you don’t need a JSON file to get a RFD attack. Even a JS file which reflects your information will do the job.

RFD payloads

For proof-of-concept, we can use calc or open chrome with your website.
Below is the small list which we can use to demonstrate RFD.
shutdown –t 0 –r –f
Including above list, we can use any command depending on the operating system of the victim machine.

How to remediate it

You can use header Content-Disposition with the defined filename:
Content-Disposition: attachment; filename=786.txt
This way it’s impossible to change the filename and most important file extension. Also, we can whitelist the callbacks if there is any. And also do not forget to encode values reflected in the request. 
Authored By - Shwetabh Suman
TCS Cyber Security Practice
Rate this article: 
No votes yet
Article category: