tom/darkly
1
0
Fork 0
mirror of https://github.com/tmoron/darkly.git synced 2025-09-27 04:48:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

add readme for content-type bypass and input validation

Browse Source
This commit is contained in:
tomoron
2025-04-08 17:22:49 +02:00
parent 30b2ba0738
commit adea3bb76a
2 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
content-type_bypass/README.md Normal file
View File

@ -0,0 +1,42 @@
# Content-Type Bypass
## How We Found It
We found this page on the home page, at the bottom there is an Add image button. on this page we can upload a file.
what happens if we try to upload a normal image ?
```
/tmp/JavaScript-logo.jpg succesfully uploaded.
```
intresting. the site tells me where the file is uploaded which might not be a good idea. what if I upload a script and somehow manage to make the server execute it.
Let's try to send a random file I have.
```
Your image was not uploaded.
```
:( why doesn't it accept my file. is it the extention ? let's try to rename it
```
/tmp/output.jpg succesfully uploaded.
```
it is uploaded but I don't get anything. maybe I need to do something else, how would it be executed if it doesn't have the right extention.
let's modify the headers and request content using curl.
first, we're going to try to upload a file normally using curl with this command :
```
curl -X POST -F "uploaded=@JavaScript-logo.jpg" -F Upload=Upload "http://192.168.56.101/?page=upload"
```
it worked, nice now let's try to modify the content-type settings in the `uploaded` field with this command
```
curl -X POST -F "uploaded=@output.path;type=image/jpeg" -F Upload=Upload "http://192.168.56.101/?page=upload"
```
it worked and I got the flag.
## Utility of It
- Allows an attacker to upload and possibly execute malicious files (e.g., scripts or binaries) on the server.
- Can lead to Remote Code Execution (RCE) if the file is interpreted by the server.
- Can expose internal paths or enable path traversal, depending on how uploaded files are handled.
- Dangerous in CTFs and real-world apps alike.
## How Can We Patch It
- Strictly validate file types server-side, not just by extension or content-type header.
- Use MIME sniffing + magic byte checks to confirm file content matches expected type.
- Rename uploaded files and store them in non-executable directories.
- Disallow direct access to uploaded files unless absolutely necessary.
- If uploads are needed, serve them via a proxy or from a CDN that does not allow execution.

19
input_validation/README.md Normal file
View File

@ -0,0 +1,19 @@
# Client side validation bypass
## How We Found It
On the home page, there is a link to a survey page. this page has a list of subject, an average score and a number of vote. We can give a grade between 0 and 10.
But what if we change in the html page, the value of a score and put something bigger than 10, can we put a grade of 1000 ?
Yes we can, and we get a flag.
## Utility of It
This allows an attacker to:
- Submit invalid or malicious data (e.g., score > 10).
- Manipulate application logic (e.g., gain unfair advantage or retrieve flags).
- Potentially exploit further vulnerabilities if the data is used insecurely elsewhere (e.g., SQL injection, XSS).
## How Can We Patch It
- Validate all input on the server side regardless of client-side checks.
- Enforce boundaries (e.g., score must be between 0 and 10) on the backend.
- Use a schema validation library or built-in mechanisms to reject bad data.
- Never trust client-side data blindly — browsers can be manipulated.