1

I recently came across a behavior in a web application where the application (through the use of the header Content-Disposition: attachment) offers to download an HTML file instead of allowing it to get parsed by the browser. Interestingly, the GET requests to the URL that lets you download the HTML page passes the absolute path of the HTML file that will be downloaded - starting all the way from /usr/local....<snip>/public/mypage.html.

If an attacker has the privilege to upload an HTML file to this location (public), apart from an XSS attack, what else can he/she do on the machine of a victim who downloads and open the HTML file crafted by the attacker?

I am aware of the XSS attacks, that one can do by injecting some malicious Javascript in the HTML file. I would like to know what else an attacker can get done outside of Javascript XSS attacks.

Anders
  • 64,406
  • 24
  • 178
  • 215
Sreeraj
  • 1,297
  • 1
  • 13
  • 21

2 Answers2

1

I Belive this could be used to distribute a sorta of clickjacking attack , and obviously you can force the victim to download some exe from the crafted HTML page. Furthermore you can use the a link with href stuff like file:/// to run the malicious exe . Sorry for typos in from phone

Marco Nappi
  • 126
  • 1
  • 5
1

(A more concerning bit is that, as worded, the attacker can specify any file on the server to download... but this is not your question.)

When a user downloads and opens an HTML file, that user is exposed to some of the same risks as when the user browses to any HTML file from a web server...

  • the HTML can try to look like a login page for phishing
  • the HTML can try to exploit browser vulnerabilities, for example, with malformed HTML
  • the HTML can try to exploit a cross-origin request forgery

...and some new risks:

  • the HTML can include resources on the user's file system, for example, making it appear that the website that served the HTML file has private pictures from the user's computer (even though it's really just the attacker guessing the path to the files in the user's Pictures folder)
  • older browsers may have vulnerabilities that let scripts in the HTML read files from the user's computer and send the contents to the attacker

As an example of the last one:

In Gecko 1.8 or earlier, any two file: URIs are considered to be same-origin. In other words, any HTML file on your local disk can read any other file on your local disk.

(from https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs)

PlasmaSauna
  • 574
  • 3
  • 6