To exploit CSPT (Cross-Site Scripting Protection), users can craft malicious gadget files that appear legitimate to file upload mechanisms, which must be valid JSON to be parsed by front-end JavaScript.
By carefully constructing files that adhere to JSON syntax, such as strings, numbers, arrays, and objects, while incorporating malicious JavaScript code within these structures, users can bypass common file validations.
Techniques include leveraging whitespace, escaping characters, and exploiting the flexibility of JSON to embed arbitrary data, effectively concealing malicious payloads within seemingly innocuous file formats like PDFs or images, which allows attackers to execute arbitrary JavaScript code in the context of the target website, potentially leading to severe security vulnerabilities.
By manipulating the file structure or headers, it is possible to circumvent the requirements of MIME type validation, which is a common method for determining whether or not a file that has been uploaded is valid.
The mmmagic library is used in Node.js to identify file types, which works by checking the file against a Magic database. Uploads can be validated with mmmagic by calling the detectAsync function and checking the result, which throws an error if the file is not a PDF.
The technique exploits a vulnerability in the library’s PDF validation and by strategically placing the “%PDF” magic bytes within the first 1024 bytes of a JSON object, an attacker can trick the library into misclassifying the file as a PDF.
This occurs because the library relies on the presence of the magic bytes within the initial 1024 bytes, regardless of their actual position within the file structure, allowing malicious actors to upload JSON payloads disguised as PDFs, potentially leading to unexpected behavior or security breaches in the application.
It bypasses pdflib validation by manipulating the PDF structure, which replaces line-feed characters between PDF object definitions with spaces, making the file appear valid to pdflib while maintaining its JSON structure.
By allowing the file to pass upload checks, even though it may not be renderable in modern PDF viewers. The key is that pdflib validates the overall structure, not the renderability of the PDF, making this manipulation possible.
The file command has a limit on the number of bytes it can read from a file and by padding a malicious file with whitespace characters, an attacker can cause the file command to exceed this limit and fail to parse the file correctly.
As a result, the file command may misclassify the malicious file as a different type, such as a PDF, which could be used by an attacker to upload a malicious file to a system that relies on the file command for validation.
According to the Doyensec, the libraries often check for specific magic numbers at a predefined offset within the file. In the case of file-type, it checks for the magic bytes of the WEBP format at offset 8.
The attacker can craft a specially crafted JSON file that places the magic bytes for WEBP at the correct offset, which will cause the file to pass the file-type check as an image while still containing valid JSON data that can be exploited for malicious purposes.
, users can craft malicious gadget files that appear legitimate to file upload mechanisms.){kind=link}