Many web applications allows users to submit files in a compressed format (usually zip file format) to reduce the size of the file that is being uploaded. Later, the application will decompress the compressed files and gets back the actual files in the zip.
ZIP Slip is a highly critical security vulnerability aimed at these kind of applications. ZIP Slip makes your application vulnerable to Path traversal attack and Sensitive data exposure.
[/root] / | \ [/usr1] [/usr2] [/usr3] | | [details.zip] [details.zip] / \ [resume.doc][marksheet.pdf] [resume.doc][marksheet.pdf]
Consider your application accepts zip file containing candidates’ personal/academic details and auto fills the application form for the user. Ideally the application should unzip the compressed file, read files in the zip one by one, extract meaningful information from the file and finally auto fill the form with corresponding data.
This is done with the help of the code snippet below,
If the application doesn’t validate the filenames in the uploaded zip, it is vulnerable to ZIPSlip attack. The user might upload the zip with a specifically crafted file name. In this case a zip with file name
“../usr3/resume.doc” might read the file of the directory /usr3 to which usr1 don’t have any access. This results in sensitive data exposure.
This is because ../ is treated as one level up in the directory structure on Unix based systems.
Here in line #3 of code, we do a simple append operation with fileName and destFolder without any validation. We should have validated these variable values and/or should’ve checked whether zFile is the appropriate directory to which we give write access, missing which the application becomes vulnerable to ZIP Slip attacks.
On worst cases, this could even result in remote access/code execution when the user is able to execute commands or shell scripts in remote fashion. Using this attack, An attacker could gain access to certain directories/folders in the file system outside the intended/privileged folder and can invoke/overwrite files.
It is not even necessary for the attacker to know your directory structure as critical system files from tomcat/apache like etc/passwd etc/hosts can be read since they follow the same directory structure.
- Force users to name files with standard names.
- Strip special characters in file names.
- Match and compare filenames with standard regular expressions.
- Rename all files in the uploaded zip with generated names before actually using/storing them