Secure Integrity Check
Executable File Download with Secure Integrity Check
Overview of the Vulnerability
Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application without encryption, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Route all application traffic through a HTTP interception proxy
Use a browser to navigate to: {{URL}}
Observe within the HTTP interception proxy that an executable file is downloaded unencrypted
Proof of Concept (PoC)
The screenshot below shows that an executable file is downloaded unencrypted:
{{screenshot}}
Recommendation(s)
It is recommended to reduce the need for downloadable executable files for the application. If they are needed for users to perform business as usual functions within the application, all downloadable files should go through an integrity check and be stored and transmitted across an encrypted network. Additionally, it’s recommended that files with .bat, .cmd, and .exe extensions undergo additional scrutiny and be assessed for both business need and overall security check of the files.
Last updated