Active attacks can inject into multipart form value request bodies
Purpose
Browsers can encode the body of a request multiple ways when a form is submitted by the user. One of these is multipart/form-data
.
Form values POSTed using this content type should be parsed so that injection locations are created for each field. Injection locations should not be created for file upload fields.
Example
For a request that has the header Content-Type: multipart/form-data; boundary=WebkitFormBoundary1234
and the body:
--WebkitFormBoundary1234
Content-Disposition: form-data; name=user
fred
--WebkitFormBoundary1234
Content-Disposition: form-data; name=pwd
Pa$$w0rd
--WebkitFormBoundary1234--
Two injection locations should be created, one that substitutes the field user
, and one which substitutes the field pwd
.
Implementation plan
- Build an implementation of
browserk.InjectionLocation
, calledMultipartFormDataInjectionLocation
. - The new type should define a
Find...
method that returns anbrowserk.InjectionLocationDetector
. This method should find all possible injection locations.- Add the Find method to the
InitializeInjectionLocationDetectionService
in DI - Go libraries should be used to parse a multipart form request. For an example, see
HTTPRequest.FormValues
. - Query string parameters should not result in an injection location (this is handled separately in
QueryParameterValueInjectionLocation
) - Form URL encoded form submit post request bodies should not result in an injection location (this is handled separately by
XWWWFormURLEncodedBodyInjectionLocation
)
- Add the Find method to the
- The
Modify
method should recreate amultipart/form-data
request body. Theinjection
should be used in place of the injection location's value. Update thebrowserk.AttackRequest
with the new body. - Ensure that proper encoding is used (may have to look up the RFC specification)
- Uploading files often uses multipart form data requests, these are likely not going to be supported as an injection location (please test)
- This must be very well unit tested, including both happy and sad paths. Please look up examples of how this request body can be formatted and ensure they work.
- Please add an integration test (example:
TestCheck22_1WithQueryParameterInjection
)
Reference
An example equivalent MR of adding a similar injection location is Add query parameter injection location to active attacks
Edited by Cameron Swords