Executable Download

Executable File Download

Overview of the Vulnerability

Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files being downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. An attacker could also download a malicious executable instead of the intended file. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Route all application traffic through a HTTP interception proxy

3. Use a browser to navigate to: {{URL}}

4. Observe within the HTTP interception proxy that an executable file is downloaded

Proof of Concept (PoC)

The screenshot below shows that an executable file can be downloaded:

{{screenshot}}

Recommendation(s)

It is recommended to reduce the need for downloadable executable files for the application. If they are needed for users to perform business as usual functions within the application, all downloadable files should go through an integrity check and be stored and transmitted across an encrypted network. Additionally, it’s recommended that files with .bat, .cmd, and .exe extensions undergo additional scrutiny and be assessed for both business need and overall security check of the files.