Open in app

Sign in

Write

Sign in

Dot (.) Does Matter for Cross platform Application

Allen Kuo (kwyshell)
2 min readDec 30, 2019

--

Recently, my network software encountered strange security issues. The vulnerability testing software showed me that it can gain access to protected resources without authorization.

Access Protected Resource

I have a protected resource:

https://ip/secured/neverseen.txt

If you try to access “https://ip/secured/neverseen.txt”, it will redirect to authorization page. Everything looks fine.

https://ip/./secured/neverseen.txt

When you try to access “https://ip/./secured/neverseen.txt”, it is still okay. According the RFC 3986, the “.” will be normalized so that client will send “https://ip/secured/neverseen.txt”, too.

Of course, the web access shouldn’t depend on client side to sent standard URI request. I try to use “curl” to test the issue again.

Test with curl Tool

curl https://ip/./secured/neverseen.txt
daemon: ip/secured/neverseen.txt

My web handler receive: “ip/secured/neverseen.txt”.
Okay, curl will normalize the Dot (.).

Try use URL encode command:

curl https://ip/%2e/secured/neverseen.txt”
daemon: “ip/./secured/neverseen.txt”.

My simple web handler fails to be triggered. It doesn’t think
“ip/secured/neverseen.txt” and
“ip/./secured/neverseen.txt” are the same string.

Now, I refer to RFC 3986 to standardize URIs before any of my URI handlers. Thereafter, all request URIs are the same, and these 2 strings will correctly trigger the same handler.

Test It Again!

I run the vulnerability test again. Unfortunately, it still reports errors. They can download my “neverseen.txt” file directly without authorization.

Oops !!! Why ?

I need to check the logs in the exploit tool and understand why they can download secure files?

https://ip/secured%2e/neverseen.txt

It’s weird. I expect it will be HTTP 404 Error.

Linux vs Windows

This is filesystem related problem between “Windows” and “Unix/Linux”.

On Windows, “Myfolder.” and “Myfolder” means the same folder.
However, Unix / Linux considers them to be different files.

You can try to use Windows file explorer to create “abc” and “abc.” folders. It will show that the file already exists.

Finally!

I added a rule to convert “folder.” to “folder” in my URI normalization tool, and it finally passed the vulnerability test!

This is really a simple but completely unexpected problem.

Terminal
Web Development
Cross Platform

--

--

Allen Kuo (kwyshell)
Allen Kuo (kwyshell)

Written by Allen Kuo (kwyshell)

30 Followers
161 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams