Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Accessing and overwriting arbitrary attributes #359

Open
1 task done
Abdulrah33m opened this issue Dec 4, 2023 · 0 comments
Open
1 task done

Accessing and overwriting arbitrary attributes #359

Abdulrah33m opened this issue Dec 4, 2023 · 0 comments

Comments

@Abdulrah33m
Copy link

Issue template

Context

Please check:

  • I've read the docs for Wfuzz

Please describe your local environment:

Wfuzz version: Output of wfuzz --version
3.1.0
Python version: Output of python --version
Python 3.11.6
OS:
Ubuntu 23.10

Report

What is the current behavior?

Wfuzz --filter, --prefilter and --efield options do not perform enough validation on the user's input, which allows us to recursively get and set attributes of various objects that are accessible from the original objects/filters. This is due to rsetattr and rgetattr functions of obj_dyn.py relying on regex to validate the user's input which still can be leveraged to access various attributes and objects that shouldn't be accessible.
We can leverage Python special attributes such as __base__, __class__, __globals__, etc. to disclose information (locally) or result in unexpected behavior.

What is the expected or desired behavior?

While this shows a very limited attack vector since this runs locally, Wfuzz should use a white-list approach to prevent accessing arbitrary objects and attributes.

Please provide steps to reproduce, including exact wfuzz command executed and output:

There are different ways we can leverage this, either by using --filter and --prefilter to set attributes of an object or --efield to access arbitrary attributes.

Accessing __globals__ attribute:

abdulrah33m@ubuntu:~$ wfuzz -z range,0-0 --efield "r.__init__.__globals__" https://www.google.com/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://www.google.com/FUZZ
Total requests: 1

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                 
=====================================================================

000000001:   404        11 L     72 W       1558 Ch     "0 | {'__name__': 'wfuzz.fuzzrequest', '__doc__': None, '__package__': 'wfuzz', '__loader__': <_frozen_importlib_externa
                                                        l.SourceFileLoader object at 0x7f125720ba50>, '__spec__': ModuleSpec(name='wfuzz.fuzzrequest', loader=<_frozen_importlib
                                                        _external.SourceFileLoader object at 0x7f125720ba50>, 
<REDACTED>

Manipulating the actual URL using --prefilter option:

abdulrah33m@ubuntu:~$ wfuzz -z list,blahblah --prefilter "r._request.completeUrl:='https://github.com'" --efield "r.url" https://www.google.com/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://www.google.com/FUZZ
Total requests: 1

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                 
=====================================================================

000000001:   301        0 L      0 W        0 Ch        "blahblah | https://github.com/"                                                                                        

Total time: 0.118809
Processed Requests: 1
Filtered Requests: 0
Requests/sec.: 8.416854

Other relevant information:

During my recent research Prototype Pollution in Python, I was looking for open-source projects that allow users to recursively get/set attributes of Python objects to show real-case scenarios for how this attack might exist. This is when I came across rsetattr and rgetattr functions and how they allow us to manipulate objects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant