The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

particular file type or set of file types, and reject attempts to access any-

Download 5,76 Mb.

Pdf ko'rish

bet	593/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 589 590 591 592 593 594 595 596 ... 875

Bog'liq
3794 1008 4334

The reason this attack sometimes succeeds is that the file type check is implemented using an API in a managed execution environment

particular file type or set of file types, and reject attempts to access any-

thing else. Sometimes this check can be subverted by placing a URL-

encoded null byte at the end of your requested filename, followed by a

file type that the application accepts. For example:

../../../../../boot.ini%00.jpg

The reason this attack sometimes succeeds is that the file type check

is implemented using an API in a managed execution environment

in which strings are permitted to contain null characters (such as

String.endsWith()

in Java). However, when the file is actually retrieved,

the application ultimately uses an API in an unmanaged environment in

which strings are null-terminated and so your filename is effectively

truncated to your desired value.

■

A different attack against file type filtering is to use a URL-encoded new-

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 589 590 591 592 593 594 595 596 ... 875