Skip to content

Latest commit

 

History

History
52 lines (42 loc) · 4.71 KB

attack-tree.md

File metadata and controls

52 lines (42 loc) · 4.71 KB

Attack Tree Analysis for symfony/finder

Objective: Unauthorized Access to Files/File Information via Symfony Finder

Attack Tree Visualization

                                  Attacker's Goal:
                  Unauthorized Access to Files/File Information via Symfony Finder
                                            |
      -------------------------------------------------------------------------
      |                                                                       |
  1. Abuse of Path Traversal 2. Exploitation of Vulnerabilities [CRITICAL] Symlink Handling | |

| | | 1a. Inject "../" 1b. Inject 2a. Create Malicious sequences Absolute Paths Symlink Pointing to [CRITICAL] [CRITICAL] Sensitive Files [CRITICAL] | | | --------| --------| --------| | | | ---> Read ---> Read ---> Read Sensitive Sensitive Sensitive File File File [CRITICAL] [CRITICAL] [CRITICAL]

Attack Tree Path: High-Risk Path 1

  • Overall Description: This path represents the classic path traversal attack using relative paths ("../" sequences).
  • Steps:
    1. 1. Abuse of Path Traversal Vulnerabilities [CRITICAL]: The attacker exploits a vulnerability in the application's input handling where user-provided data is used to construct file paths without proper sanitization.
    2. 1a. Inject "../" sequences [CRITICAL]: The attacker provides input containing "../" sequences, aiming to navigate up the directory structure and access files outside the intended directory. For example, if the application expects a filename like "report.pdf", the attacker might provide "../../../etc/passwd".
    3. ---> Read Sensitive File [CRITICAL]: If the application doesn't properly validate or sanitize the input, the Symfony Finder component will be used to access the file specified by the attacker, potentially revealing sensitive information like system files, configuration files, or source code.

Attack Tree Path: High-Risk Path 2

  • Overall Description: This path represents path traversal using absolute paths.
  • Steps:
    1. 1. Abuse of Path Traversal Vulnerabilities [CRITICAL]: Similar to Path 1, the attacker exploits a vulnerability in input handling.
    2. 1b. Inject Absolute Paths [CRITICAL]: Instead of relative paths, the attacker provides a full, absolute path to a sensitive file. For example, they might provide "/etc/passwd" (Linux) or "C:\Windows\System32\config\SAM" (Windows).
    3. ---> Read Sensitive File [CRITICAL]: If the application doesn't validate the input, Finder will access the file at the absolute path, potentially exposing sensitive data.

Attack Tree Path: High-Risk Path 3

  • Overall Description: This path involves creating a malicious symbolic link (symlink) to gain access to a sensitive file.
  • Steps:
    1. 2. Exploitation of Symlink Handling: The attacker leverages the application's handling of symlinks, or lack thereof.
    2. 2a. Create Malicious Symlink Pointing to Sensitive Files [CRITICAL]: The attacker must have write access to a directory that the Symfony Finder component is allowed to access. They create a symlink within this directory that points to a sensitive file outside the intended access area. For example, they might create a symlink named "harmless_link" that points to "/etc/passwd".
    3. ---> Read Sensitive File [CRITICAL]: If the application uses Finder to access files within the directory containing the malicious symlink, and if Finder is configured to follow symlinks (or doesn't properly validate the target of the symlink), the attacker can read the contents of the sensitive file through the symlink.