[⭐] Leaking hidden sensitive files via .DS_Store #2007
Comments
|
This issue has been automatically marked as |
|
This issue was closed because it has been stalled for 7 days with no activity. |
|
Hi, I see this issue has been automatically closed while I was waiting for some approval / guidance before starting to work on the challenge creation. I just noticed some positive reactions to my initial post as the forms of 👍 and ❤. Does it mean I can starting working on the challenge? |
|
Hi @bkimminich. I'm just following up on this issue given the lack of answers. |
|
Hi! I like the idea. We could put the DStore file into the /ftp folder as our "usual" place for misplaced things. If it leads to a filename to be requested from the server, that'd probably be the easiest way to get the challenge solved. |
and others
⭐ Challenge idea
Description
macOS'
.DS_Storefiles are regularly uploaded by mistake as part of website deployments. This can lead to unveiling hidden files and directories.More information about this security issue can be found here.
Underlying vulnerability/ies
I suggest adding one or multiple
.DS_Storefiles leading to a sensitive file whose name cannot be easily guessed, even with a dictionary attack.This vulnerability would match CWE-552.
Expected difficulty
The real difficulty of the challenge would be to think about this attack vector and to find and use to right tools to parse the
.DS_Storefiles to extract the filenames from it.Possible attack flow
I have recently worked on adding a parser of
.DS_Storefiles to OWASP ZAP: zaproxy/zaproxy#30. It means that finding and exploiting.DS_Storefiles can be really straightforward when using a tool that includes them as part of its reckon process. Otherwise, users would need to come with the idea of scanning for.DS_Storefiles by themselves.The text was updated successfully, but these errors were encountered: