Evil XHR

XMLHttpRequest() in a local HTML file can read the directory index and upload all files from the current directory to a remote server

XMLHttpRequest() in a local HTML file has access to all files in the same directory and all sub-(sub-...)directories. An attacker must, however, know the exact filename (including the exact relative path) in order to read the contents of a file and send it to a remote server. This is, nevertheless, a security issue, because an attacker could mount a brute force or dictionary attack against filenames.

Another peculiar feature allows, however, the directory index to be read by XMLHttpRequest(). This is possible if the user first visits the URL of the current directory (e.g. file:///home/user/Downloads/) and then clicks on the link to the malicious HTML file in the directory index provided by the browser.

A third interesting feature allows an attacker to redirect users to the directory index only the first time (or every second time) they visit the malicious local HTML page. This is done by simply setting a cookie. There might be a good reason for allowing cookies for the URI scheme 'file', but, in this case, the feature helps the attacker to complete the data theft.

The following attack scenario seems plausible. A victim saves a HTML file in the Downloads folder. (The victim might have received the file per email; or downloaded it from a malicious website offering, e.g. free HTML books; or downloaded it from a corporate website where a malicious employee had uploaded it.) The victim clicks on the filename in the file manager. The file is oped in the default Firefox browser. The malicious JavaScript is executed and the victim is redirected to the directory index. The victim is a little surprised, but then clicks again on the filename, this time in the browser's index. The contents of the HTML document is displayed (no redirect this time). In the background, the malicious JavaScript reads, first, the directory index, then, the contents of each file in the Downloads directory, and sends all data to a website controlled by the attacker.

A ZIP archive, evilXHR.zip, including two files is attached. The first file, evilXHR.html, is a proof of concept. The second file, evilXHR.php, is a short script that can be used to receive and store the files uploaded by evilXHR.html on the server.

Dr. Vladimir Bostanov, SySS GmbH