Perl: malicious_file

Main Menu

If you're wondering whether your organization has an application security problem, there's no more convincing proof than a few failed security tests. Paco and Ben get you started with the best free web application security tools, including many from OWASP, and their simple recipes are perfect for developers and testers alike.

Jeff Williams, CEO Aspect Security and OWASP Chair

Perl: malicious_file_names.pl

Wednesday, 23 September 2009 21:43

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);

$UA   = LWP::UserAgent->new();
$page = "http://www.example.com/upload.aspx";

# this file is 255 A's, follwed by .txt
$file259chars = "A" x 255 . ".txt";
@IllegalFiles = (
    "a:b.txt",    # Colon not allowed on most OSes
    "a;b.txt",    # Semicolon deprecated on most OSes
                  # > 64 characters doesn't work on older file systems
    "123456789012345678901234567890123456789012345678900123456.txt",
    "File.",       # Windows may discard final period
    "CON",         # Reserved name in Windows
    "a/b.txt",     # does this create a file named b.txt?
    "a\\b.txt",    # again, what does this do?
    "a&b.txt",     # ampersand can be interpreted by OS
    "a\%b.txt",    # percent is variable marker in Windows
    $file259chars
);

foreach $fileName (@IllegalFiles) {
    $req = HTTP::Request::Common::POST(
        "$page",
        Content_Type => 'form-data',
        Content      => [
           myFile => [
               'C:\TEMP\TESTFILE.TXT', $fileName,
               "Content-Type" => "image/jpeg"
           ],
           Submit => 'Upload File',
       ]
   );

    $resp = $UA->request($req);
}

follow pacohope at http://twitter.com/

follow OWASP NoVA at http://twitter.com/