$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:java-race-condition-file-write
Now that the app is running let's go hacking!
Reconnaissance
Step1
We can download a file from the server by doing a GET request to the server.
Let's try:
Once we download the file we can see whatever we add to the URL is being written in a file called shared-file.
Step 2
As the application suggests, there is a Race condition vulnerability in this app, let's try to find it.
If we look at the code we see that the application gets the query parameter, writes to a file called shared-file.txt, then opens the file and send it back as a response.
public class RaceConditionController {
@GetMapping("/{value}")
public ResponseEntity<Object> downloadFile(@PathVariable String value, Model model) throws IOException {
FileWriter fileWriter = new FileWriter("shared-file.txt", false);
fileWriter.write(value);
fileWriter.close();
File file = new File("shared-file.txt");
InputStreamResource resource = new InputStreamResource(new FileInputStream(file));
HttpHeaders headers = new HttpHeaders();
headers.add("Content-Disposition", String.format("attachment; filename=\"%s\"", file.getName()));
headers.add("Cache-Control", "no-cache, no-store, must-revalidate");
headers.add("Pragma", "no-cache");
headers.add("Expires", "0");
ResponseEntity<Object> responseEntity = ResponseEntity.ok().headers(headers).contentLength(file.length())
.contentType(
MediaType.parseMediaType("application/txt"))
.body(resource);
return responseEntity;
}
}
Step 3
How can we exploit this?
We have a very small window between the writing of the file:
InputStreamResource resource = new InputStreamResource(new FileInputStream(file));