Detail

Reflected File Download

Severity: Low

Summary

Netsparker detected a possible reflected file download which might enable attackers to gain complete control over a website user's machine by virtually downloading a file from a trusted domain.

This is a vulnerability in the browsers that only affects Microsoft Windows systems.

Impact

An attacker can craft a URL on the target website that can execute commands on the website visitor's computer if the visitor accepts the download.

For a Reflected File Download attack to be successful:

  1. Attacker controlled input needs to be reflected in the response.
  2. Attacker should be able to change the URL of the vulnerable site to an executable file extension resulting a file download on the website user's browser.
Remediation
  • Add Content-Disposition header with filename attribute in the HTTP response:
    Content-Disposition: attachment; filename=f.txt
Classifications
PCI v3.1-6.5.1, PCI v3.2-6.5.1, CAPEC-375, WASC-42, OWASP 2013-A1, OWASP 2017-A1
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

Related Vulnerabilities

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO

RESOURCES

USE CASES

WEB SECURITY

COMPANY

CONTACT

Netsparker Ltd

  • United Kingdom, (reg. no. 06947644)
  • USA Office: +1 415 877 4450
  • UK Office: +44 (0)20 3588 3840
  • contact@netsparker.com
Copyright © 2019 Netsparker Ltd. All rights reserved.
Privacy Policy | Data Protection Policy | Sitemap