Zip bomb attack
Image by DALL·E 2 - OpenAI

Zip bomb attack

A while ago I encountered an application which had file upload functionality exclusive to zip files. One of my witting seniors told me you can perform a zip bomb attack and so I did.?

It was simple enough to perform and I’ll explain the process I went through in this article.

After knowing that the application allows only zip files to be uploaded and that too with a certain naming convention I researched on how you go about performing a zip bomb attack and learnt that you need a zip bomb in the first place, that is to say, you need a zip file which unzips to a humongous size. I found the same in the below link (Shout out to David Fifield @bamsoftware.com):

https://www.bamsoftware.com/hacks/zipbomb/

Visit the above link and you’ll find the below three files available to download.

Three zip bomb files listed and available for download.

The first file ‘zbsm.zip’ sized 42 kb unzips to 5.5 GB and the rest is obvious.

These files are flagged as viruses by most anti-virus programs and rightly so. And all three are flagged as dangerous files by the chrome browser.

For instance check below the scan report for the ‘zbsm.zip’ in the Virus Total site.

No alt text provided for this image

And the chrome will display the warning:

No alt text provided for this image

Having acquired this file, you need two user Ids of the application in question who have access to the same upload functionality;

And with one user you upload the file, in my case, I uploaded the file ‘zblg.zip’ (10 MB → 281 TB) from user Bob and the upload got stuck, I was staring at the screen for a while assuming the application crashed or something which lead me to upload the file with the user Alice and to my amusement I found the error prompt to the effect “Disk space is full”. It was only then I learnt that the upload got stuck because there was no storage space left.

This attack was possible because the application was not verifying the file size before writing it onto the disk which also made me realize that I should have uploaded a 42 kB file in place of the 10 MB one, thereby avoiding the DoS and an earful from my manager. In my feeble defence, the attack was performed in a UAT environment.

The core problem lies in the file size limit and hence the solution depends on a file size check.?

A code as such could be implemented on the server side as mitigation (code and explanation by ChatGPT):

No alt text provided for this image
In this code, the prevent_zip_bomb function takes a zip file and a size limit as arguments. The function uses the zipfile module to open the zip file, and then iterates through each file in the archive using the infolist method. The file_size attribute of each ZipInfo object is checked against the size limit, and if any file exceeds the limit, a ValueError is raised to cancel the unzip operation.

So it all boils downs to the file size limit. This is a very simple attack with a severe impact. If you are willing to perform this attack, first take proper authorization from the management or the concerned authority and then begin the pen test and that too mostly with the 42zip, as in you check first, if the application accepts a file with the file size of 5.5 GB and then decide on what is to be done after coordination with all the concerned party.

I am emphasizing this because if you are to upload a file of size 281 TB or more it will most definitely cause a DoS which can lead to the compromise of availability and consequently cause financial loss, so keep everyone in the loop. Period.

要查看或添加评论,请登录

Ramkumar Nadar的更多文章

  • So there's this Pi (Raspberry Pi 4 Model B)

    So there's this Pi (Raspberry Pi 4 Model B)

    My installation journey; First I bought the Pi from Amazon for an amount of ?5,967. https://www.

    24 条评论
  • XSS, a desperate one.

    XSS, a desperate one.

    This application was quite secure and it had this mechanism wherein one request can be sent only once, this validation…

  • Combining Python + ChatGPT + Payload Processor (burp) for brute forcing OTP

    Combining Python + ChatGPT + Payload Processor (burp) for brute forcing OTP

    I failed big in this one and I failed forward. Sharing my experience through this article.

    5 条评论
  • Create dump files (memory dumps) of Internet Explorer.

    Create dump files (memory dumps) of Internet Explorer.

    The client's org where I work has a checklist that pertains to checking sensitive information stored in the browser…

  • Easy SQL injection through Burp

    Easy SQL injection through Burp

    About two months ago I did this lab from Portswigger academy wherein I learnt that instead of doing a full scan on the…

    10 条评论
  • Account Takeover in an Android Application

    Account Takeover in an Android Application

    This is my first major finding in the mobile (android) pen test. Due to NDA with the client, I am going to use…

    2 条评论
  • Cipher suites. Which are safe? and which not?

    Cipher suites. Which are safe? and which not?

    TL;DR (Too Long; Didn’t Read) Scan for the cipher suites in use on the server through Nmap, SSL Server Test (Qualys —…

  • My JSON CSRF dissection.

    My JSON CSRF dissection.

    In this article, I am going to dissect how I performed the JSON CSRF. By the time you reach climax, I hope you realize…

  • Keep an eye out for the JavaScript

    Keep an eye out for the JavaScript

    Two things I want to cover in this article and both concerns JavaScript. Bypassing client-side JavaScript filter.

  • 8 Tips To Remember?Better

    8 Tips To Remember?Better

    As derived from ‘Make it Stick’ by Peter C Brown, Mark A. McDaniel, Henry L.

社区洞察

其他会员也浏览了