Security Testing Malacious File Execution - Security Testing

What is malicious file execution?

Developers frequently use or append potentially sensitive input with file or assume that input files are genuine. When the data is NOT tested properly, this will result in processing or invoking of vulnerable content by the web server.

Examples:

Following are some of the classic examples of :

  • Upload .jsp file into web tree.
  • Upload .gif to be resized.
  • Upload huge files.
  • Upload file containing tags.
  • Upload .exe file into web tree.

Hands ON

1 .Launch WebGoat and go to Malacious file execution section. The screenshot of the scenario is shown below.

Security Testing - Malacious File Execution

2 .In order to finish this lesson we require that the guest.txt file is generated on execution of the jsp. The Name of the jsp has no role to play in this scenario as we will be executing the jsp file content.

3 .Now upload the jsp file and copy the location of link of the same after uploading. The upload is anticipating for an image but we are uploading a jsp.

Security Testing - Malacious File Execution

4 .By navigating to the jsp file there will not be any note(message) to the user.

5 .Now refresh the session where you have uploaded the jsp file and you can view the message as "you have successfully finished the lesson".

Security Testing - Malacious File Execution

What are the preventing Mechanisms?

  • By securing Sites with Web Site Permissions.
  • By adopting Counter measures for Web Application Security
  • By understanding the Built-In User and Group Accounts in IIS 7.0

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

Security Testing Topics