-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[⭐] Leaking hidden sensitive files via .DS_Store #2007
Comments
This issue has been automatically marked as |
This issue was closed because it has been stalled for 7 days with no activity. |
Hi, I see this issue has been automatically closed while I was waiting for some approval / guidance before starting to work on the challenge creation. I just noticed some positive reactions to my initial post as the forms of 👍 and ❤. Does it mean I can starting working on the challenge? |
Hi @bkimminich. I'm just following up on this issue given the lack of answers. |
Hi! I like the idea. We could put the DStore file into the /ftp folder as our "usual" place for misplaced things. If it leads to a filename to be requested from the server, that'd probably be the easiest way to get the challenge solved. |
⭐ Challenge idea
Description
macOS'
.DS_Store
files are regularly uploaded by mistake as part of website deployments. This can lead to unveiling hidden files and directories.More information about this security issue can be found here.
Underlying vulnerability/ies
I suggest adding one or multiple
.DS_Store
files leading to a sensitive file whose name cannot be easily guessed, even with a dictionary attack.This vulnerability would match CWE-552.
Expected difficulty
The real difficulty of the challenge would be to think about this attack vector and to find and use to right tools to parse the
.DS_Store
files to extract the filenames from it.Possible attack flow
I have recently worked on adding a parser of
.DS_Store
files to OWASP ZAP: zaproxy/zaproxy#30. It means that finding and exploiting.DS_Store
files can be really straightforward when using a tool that includes them as part of its reckon process. Otherwise, users would need to come with the idea of scanning for.DS_Store
files by themselves.The text was updated successfully, but these errors were encountered: