Core Idea: Does it (or can it) interact with the server file system?
[Liffy] (https://github.com/rotlogix/liffy) is new and cool here but you can also use [Seclists] (https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/JHADDIX_LFI.txt):
This is an important and common attack vector in this type of testing. A file upload functions need a lot of protections to be adequately secure.
Attacks:
- Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...
- Execute XSS via same types of files. Images as well!
- Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
- Bypass security zones and store malware on target site via file polyglots
File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:
- content type spoofing
- extension trickery
- [File in the hole! presentaion] (https://www.nds.rub.de/media/attachments/files/2012/11/File-in-the-hole.pdf)
As referenced file polyglots can be used to store malware on servers! [See @dan_crowley ‘s talk] (http://goo.gl/pquXC2) [and @angealbertini research:] (corkami.com)
Look for any param with another web address in it. Same params from LFI can present here too.
Common blacklist bypasses:
- escape "/" with "/" or “//” with “//”
- try single "/" instead of "//"
- remove http i.e. "continue=//google.com"
- “//\” , “|/” , “/%09/”
- encode, slashes
- ”./” CHANGE TO “..//”
- ”../” CHANGE TO “....//”
- ”/” CHANGE TO “//”
Redirections Common Parameters or Injection points:
- dest=
- continue=
- redirect=
- url= (or anything with “url” in it)
- uri= (same as above)
- window=
- next=
RFI Common Parameters or Injection points:
- File=
- document=
- Folder=
- root=
- Path=
- pg=
- style=
- pdf=
- template=
- php_path=
- doc=