feat: added Reflected File Download (RFD)
parent
852c19172f
commit
4de1c37713
|
@ -8,7 +8,6 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
||||||
|
|
||||||
## List Vulnerability
|
## List Vulnerability
|
||||||
- [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md)
|
- [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md)
|
||||||
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
|
|
||||||
- [CRLF Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CRLF%20Injection.md)
|
- [CRLF Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CRLF%20Injection.md)
|
||||||
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
|
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
|
||||||
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
|
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
|
||||||
|
@ -21,6 +20,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
||||||
- [NoSQL Injection (NoSQLi)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
|
- [NoSQL Injection (NoSQLi)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
|
||||||
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
|
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
|
||||||
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
||||||
|
- [Reflected File Download (RFDD)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Reflected%20File%20Download.md)
|
||||||
- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
|
- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
|
||||||
- [Server Side Include Injection (SSI Injection)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Include%20Injection.md)
|
- [Server Side Include Injection (SSI Injection)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Include%20Injection.md)
|
||||||
- [Server Side Request Forgery](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Request%20Forgery.md)
|
- [Server Side Request Forgery](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Request%20Forgery.md)
|
||||||
|
@ -46,6 +46,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
||||||
## Miscellaneous
|
## Miscellaneous
|
||||||
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
||||||
- [Broken Link Hijacking](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Broken%20Link%20Hijacking.md)
|
- [Broken Link Hijacking](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Broken%20Link%20Hijacking.md)
|
||||||
|
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Business%20Logic%20Errors.md)
|
||||||
- [Default Credentials](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Default%20Credentials.md)
|
- [Default Credentials](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Default%20Credentials.md)
|
||||||
- [Email Spoofing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Email%20Spoofing.md)
|
- [Email Spoofing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Email%20Spoofing.md)
|
||||||
- [JWT Vulnerabilities](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/JWT%20Vulnerabilities.md)
|
- [JWT Vulnerabilities](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/JWT%20Vulnerabilities.md)
|
||||||
|
@ -73,6 +74,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
||||||
|
|
||||||
## To-Do-List
|
## To-Do-List
|
||||||
- [ ] Tidy up the reconnaisance folder
|
- [ ] Tidy up the reconnaisance folder
|
||||||
|
- [ ] Added more lesser known web attacks
|
||||||
- [x] Added CVEs folder
|
- [x] Added CVEs folder
|
||||||
- [ ] Writes multiple payload bypasses for each vulnerability
|
- [ ] Writes multiple payload bypasses for each vulnerability
|
||||||
- [x] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
|
- [x] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
## Reflected File Download (RFD)
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
Reflected File Download (RFD) is web based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly escaped.
|
||||||
|
|
||||||
|
## Where to find
|
||||||
|
You can detect Reflected File Download (RFD) everywhere but there are 2 things that need to be looked up.
|
||||||
|
- Finding reflected input (For example: JSONP Callback)
|
||||||
|
- We can control the filename (there are several requirements that must be met)
|
||||||
|
- Make sure that the `Content-Disposition` header does not include the `filename` attribute.
|
||||||
|
|
||||||
|
```
|
||||||
|
Content-Disposition: attachment;
|
||||||
|
```
|
||||||
|
|
||||||
|
- If there isn't any `Content-Disposition` header, you can use download attributes in the `<a>` tag. For example, like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
<a download href="https://example/api/?id=1&outputtype=json&callback=||calc||">Press Here</a>
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to exploit
|
||||||
|
1. Basic payload
|
||||||
|
```
|
||||||
|
http://example.com/api;/evil.bat;?callback=||calc||
|
||||||
|
```
|
||||||
|
|
||||||
|
"The browser will download the `evil.bat` file, and if you open the `.bat` file, the calculator will pop up.
|
||||||
|
|
||||||
|
## References
|
||||||
|
* [Paper: Reflected File Download a New Web Attack Vector](https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view?resourcekey=0-NV7cTUTB48bltMEddlULLg)
|
||||||
|
* [Reflected File Download(RFD) Vulnerability. What? How?](https://medium.com/@Johne_Jacob/rfd-reflected-file-download-what-how-6d0e6fdbe331)
|
Loading…
Reference in New Issue