Wfuzz version: Output of wfuzz --version
3.1.0
Python version: Output of python --version
Python 3.11.6
OS:
Ubuntu 23.10
Report
What is the current behavior?
Wfuzz --filter, --prefilter and --efield options do not perform enough validation on the user's input, which allows us to recursively get and set attributes of various objects that are accessible from the original objects/filters. This is due to rsetattr and rgetattr functions of obj_dyn.py relying on regex to validate the user's input which still can be leveraged to access various attributes and objects that shouldn't be accessible.
We can leverage Python special attributes such as __base__, __class__, __globals__, etc. to disclose information (locally) or result in unexpected behavior.
What is the expected or desired behavior?
While this shows a very limited attack vector since this runs locally, Wfuzz should use a white-list approach to prevent accessing arbitrary objects and attributes.
Please provide steps to reproduce, including exact wfuzz command executed and output:
There are different ways we can leverage this, either by using --filter and --prefilter to set attributes of an object or --efield to access arbitrary attributes.
Accessing __globals__ attribute:
abdulrah33m@ubuntu:~$ wfuzz -z range,0-0 --efield "r.__init__.__globals__" https://www.google.com/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://www.google.com/FUZZ
Total requests: 1
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 404 11 L 72 W 1558 Ch "0 | {'__name__': 'wfuzz.fuzzrequest', '__doc__': None, '__package__': 'wfuzz', '__loader__': <_frozen_importlib_externa
l.SourceFileLoader object at 0x7f125720ba50>, '__spec__': ModuleSpec(name='wfuzz.fuzzrequest', loader=<_frozen_importlib
_external.SourceFileLoader object at 0x7f125720ba50>,
<REDACTED>
Manipulating the actual URL using --prefilter option:
abdulrah33m@ubuntu:~$ wfuzz -z list,blahblah --prefilter "r._request.completeUrl:='https://github.com'" --efield "r.url" https://www.google.com/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://www.google.com/FUZZ
Total requests: 1
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 301 0 L 0 W 0 Ch "blahblah | https://github.com/"
Total time: 0.118809
Processed Requests: 1
Filtered Requests: 0
Requests/sec.: 8.416854
Other relevant information:
During my recent research Prototype Pollution in Python, I was looking for open-source projects that allow users to recursively get/set attributes of Python objects to show real-case scenarios for how this attack might exist. This is when I came across rsetattr and rgetattr functions and how they allow us to manipulate objects.
Issue template
Context
Please check:
Please describe your local environment:
Wfuzz version: Output of wfuzz --version
3.1.0Python version: Output of python --versionPython 3.11.6OS:Ubuntu 23.10Report
What is the current behavior?
Wfuzz
--filter,--prefilterand--efieldoptions do not perform enough validation on the user's input, which allows us to recursively get and set attributes of various objects that are accessible from the original objects/filters. This is due torsetattrandrgetattrfunctions ofobj_dyn.pyrelying on regex to validate the user's input which still can be leveraged to access various attributes and objects that shouldn't be accessible. We can leverage Python special attributes such as__base__,__class__,__globals__, etc. to disclose information (locally) or result in unexpected behavior.What is the expected or desired behavior?
While this shows a very limited attack vector since this runs locally, Wfuzz should use a white-list approach to prevent accessing arbitrary objects and attributes.
Please provide steps to reproduce, including exact wfuzz command executed and output:
There are different ways we can leverage this, either by using
--filterand--prefilterto set attributes of an object or--efieldto access arbitrary attributes.Accessing
__globals__attribute:Manipulating the actual URL using
--prefilteroption:Other relevant information:
During my recent research Prototype Pollution in Python, I was looking for open-source projects that allow users to recursively get/set attributes of Python objects to show real-case scenarios for how this attack might exist. This is when I came across
rsetattrandrgetattrfunctions and how they allow us to manipulate objects.