RFD Checker and Security Assessment Mindset

I recently published two repos on my Github account. One is RFD Checker, which I did with my colleague Paulo Silva, where it scans for Reflected File Download vulnerabilities and the other one is a security mindmap (you can also have other formats). This last one had pretty good success just because it a mindset… Continue reading RFD Checker and Security Assessment Mindset

Google Finance Reflected File Download

Found this vulnerability when auditing other client. With this RFD you don’t need to create a page to force the download. The request for this Google JSON file already do this for us. When I noticed this request: [code lang=”html”]http://www.google.com/finance/info?q=ELI:ALTR&callback=?[/code] Which returned the following information: [code lang=”html”] // [ { "id": "703655" ,"t" : "ALTR" ,"e"… Continue reading Google Finance Reflected File Download

Bing Reflected File Download

When using Bing online translator I noticed a XHR request on my browser that caught my attention: [code lang=”html”]http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=jQuery111207287312552798539_1444907172498&market=en&word=test&_=1444907172499[/code] On which reflected on the screen: [code lang=”html”]jQuery111207287312552798539_1444907172498();[/code] As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector… Continue reading Bing Reflected File Download

Why some vendors ignore RFD attacks?

Since I published my Reflected File Download Cheat Sheet I’m getting lot’s of private messages and emails from security researchers and bounty hunters telling that most companies ignore RFD attacks. So I decided to clear things up and answer three most popular questions. First a little introduction. In my opinion they’re three ways of implementing… Continue reading Why some vendors ignore RFD attacks?

MailChimp Reflected File Download

When auditing a MailChimp client for Cobalt.io I noticed that this company suffers from a Reflected File Download vulnerability that could be exploited only by using HTML5 download attribute. Let’s take a look into the original GET request: [code language=”html”]http://[mailchimp_client].us5.list-manage.com/subscribe/post-json?u=41352a29fd45def27e8aea4cd&id=91d16923d8&c=?[/code] This request is part of the subscription to a email campaign at MailChimp. Checking the… Continue reading MailChimp Reflected File Download

Workable Reflected File Download

For those who don’t know Workable.com… Workable is affordable, usable hiring software. It replaces email and spreadsheets with an applicant tracking system that your team will actually enjoy using. From building a branded careers page, to posting ads to multiple job boards Workable makes it simple. Browse rich profiles of your candidates and work effectively… Continue reading Workable Reflected File Download

SendGrid Reflected File Download

For those who don’t know who SendGrid is… SendGrid provides unmatched deliverability, scalability, and reliability. We deliver email on behalf of happy customers such as: Airbnb, Foursquare, Spotify and Uber. They send over 19 billion emails per month. When visiting their site I noticed a XHR request on my Google Inspector that caught my attention:… Continue reading SendGrid Reflected File Download

Reflected File Download Cheat Sheet

This article is focused on providing infosec people how to test and exploit a Reflected File Download vulnerability – discovered by Oren Hafif of Trustwave. This vulnerability is not very well known but if well implemented could be very dangerous. I’ve been writing security reports on RFD since January 2015 (most still undisclosed) and found… Continue reading Reflected File Download Cheat Sheet

Shopify open to a RFD attack

Before Shopify having a bounty program on HackerOne I already sent [on 19 march] a security report about a Reflected Filename Download I found on their website. It doesn’t need any authentication like access_token, api_key or even an account on Shopify. The problem is located under app.shopify.com service. On Internet Explorer 9 and 8 browsers… Continue reading Shopify open to a RFD attack