CAPEC-48: Passing Local Filenames to Functions That Expect a URL
This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.
Last updated
Overview
CAPEC-48 (Passing Local Filenames to Functions That Expect a URL) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify web application URL inputs] Review application inputs to find those that are designed to be URLs.
- Manually navigate web site pages to identify URLs.
- Use automated tools to identify URLs.
- Step 2Experiment
[Identify URL inputs allowing local access.] Execute test local commands via each URL input to determine which are successful.
- Manually execute a local command (such as 'pwd') via the URL inputs.
- Using an automated tool, test each URL input for weakness.
- Step 3Exploit
[Execute malicious commands] Using the identified URL inputs that allow local command execution, execute malicious commands.
- Execute local commands via the URL input.
What the attacker needs
Prerequisites
- The victim's software must not differentiate between the location and type of reference passed the client software, e.g. browser
Skills required
- Medium skill: Attacker identifies known local files to exploit
Consequences
What a successful CAPEC-48 attack can achieve.
Read Data
Affects: Confidentiality
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-48.
- Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
- Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production.
- Design: Use browser technologies that do not allow client side scripting.
- Implementation: Perform input validation for all remote content.
- Implementation: Perform output validation for all remote content.
- Implementation: Disable scripting languages such as JavaScript in browser
Examples
J2EE applications frequently use .properties files to store configuration information including JDBC connections, LDAP connection strings, proxy information, system passwords and other system metadata that is valuable to attackers looking to probe the system or bypass policy enforcement points. When these files are stored in publicly accessible directories and are allowed to be read by the public user, then an attacker can list the directory identify a .properties file and simply load its contents in the browser listing its contents. A standard Hibernate properties file contains hibernate.connection.driver_class = org.postgresql.Driver hibernate.connection.url = jdbc:postgresql://localhost/mydatabase hibernate.connection.username = username hibernate.connection.password = password hibernate.c3p0.min_size=5 hibernate.c3p0.max_size=20 Even if the attacker cannot write this file, there is plenty of information to leverage to gain further access.
Frequently asked questions
Common questions about CAPEC-48.
- What is CAPEC-48?
- This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.
- How does a Passing Local Filenames to Functions That Expect a URL attack work?
- It typically unfolds over 3 phases. It begins with: [Identify web application URL inputs] Review application inputs to find those that are designed to be URLs.
- How do you prevent CAPEC-48?
- Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
- What weaknesses does CAPEC-48 target?
- CAPEC-48 exploits 2 CWE weaknesses, including CWE-241 (Improper Handling of Unexpected Data Type), CWE-706 (Use of Incorrectly-Resolved Name or Reference).
- How severe is CAPEC-48?
- MITRE rates CAPEC-48 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-48
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.