cryptocurrency_platform

Cryptocurrency platform mitigates high severity vulnerability before Server Takeover can be exploited

 

Servers/databases are the critical assets of the company; it is challenging to keep the data secure on financial platforms such as cryptocurrency platforms, which are often lucrative to attacks because of the monetary motive of the attackers to hack into these websites.

The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. That is what we have recently found in one cryptocurrency platform where unrestricted file upload could lead to server takeover/accounts takeover.

The platform is a peer-to-peer network of retail service providers combined with online and mobile applications targeted towards providing financial empowerment. They are available globally, in over 40+ currencies with the market cap of $20M+

 

Description:

Malicious files upload are the result of improper file validation: OWASP calls it Unrestricted File Upload, and Mitre calls it Unrestricted Upload of File with Dangerous Type.

Allowing the user to upload the images is the most common in the web app, But failure to invalidate whether the user is uploading a legitimate image is still challenging for web apps these days. Allowing users to upload .php, .html, unsafe SVG files leads to the variety of attacks or even leads to compromise of the who system. Modern frameworks provide inbuilt security to block these most of the common attacks.

 

What was the Risk?

The vulnerability existed in the KYC section of the crypto platform where the user normally uploads the documents such as address proof or passport details to do the trading, The bad actor could take advantage of it and uploaded the malicious .php files and able to know the path where the .php files were getting stored. Instead of filtering the PHP code the file was executing the PHP code on the server.

The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, or exploit the local vulnerabilities, and so forth.

 

Mitigation or fix:

Use whitelisting and blacklisting of file extensions, "Content-Type" Header Validation, File Type Detectors But it should be implemented properly so that it won't lead to any further info disclosure or attacks etc.

 

Some tips for developers:

  • The file types allowed to be uploaded should be restricted to only those that are necessary for business functionality.
  • Never accept a filename and its extension directly without having a whitelist filter.
  • All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as ";", ":", ">", "<", "/”,"\", additional ".", "*", "%", "$", and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).
  • The Uploaded directory should not have any "execute" permission and all the script handlers should be removed from these directories.
  • Limit the file size to a maximum value in order to prevent denial of service attacks.
  • The application should perform filtering and content checking on any files, which are uploaded to the server. Files should be thoroughly scanned and validated before being made available to other users. If in doubt, the file should be discarded.

Vulnerability Scanning vs Penetration Testing - Get Clear picture of Both.

At the point when individuals misunderstand the contrasts between penetration testing and vulnerabil ...

Read More

Top US Travel Site Secured From IDOR Vulnerability Before Exploitation

Databases often hold the backbone of an organisation; its’ transactions, customers, employee info. I ...

Read More
Here you'll find all the latest industry news and research by the experts at Appsecuri.

name


email


phone


message


Congratulations. Your message has been sent successfully.
Error, please retry. Your message has not been sent.

Request our free 24-Hour penetration test and get vulnerability report.


  • Evaluate skills before any type of engagement with Appsecuri.
  • Level-1 Testing with manual approach in addition to static/dynamic.
  • Get a clear picture of root findings with mitigations in the report.
  • 90% of the time we find unknown hidden critical/high vulnerabilities.



Leave a Reply

Your email address will not be published.


Comment


Name

Email

Url