Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo

Reflected File Download

Severity: Low
Summary#

Invicti detected a possible reflected file download which might enable attackers to gain complete control over a website user's machine by virtually downloading a file from a trusted domain.

This is a vulnerability in the browsers that only affects Microsoft Windows systems.

Impact#

An attacker can craft a URL on the target website that can execute commands on the website visitor's computer if the visitor accepts the download.

For a Reflected File Download attack to be successful:

  1. Attacker controlled input needs to be reflected in the response.
  2. Attacker should be able to change the URL of the vulnerable site to an executable file extension resulting a file download on the website user's browser.
Remediation#
  • Add Content-Disposition header with filename attribute in the HTTP response:
    Content-Disposition: attachment; filename=f.txt
Classifications#
, , , , , ,

Select Category

OR

Search Vulnerability

Tags

OWASP 2013 A1 OWASP 2017 A1

Related Vulnerabilities

Related Articles

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works