# Vulnerable Python code import glob callback_url = user_input if callback_url.startswith("file://"): path = callback_url[7:] # Remove "file://" for filepath in glob.glob(path): with open(filepath, 'r') as f: print(f.read())
The final part of the URL, credentials , points to a specific file within the .aws directory. The credentials file is a text file that stores AWS access keys and other authentication details. This file is used by AWS CLI and SDKs to authenticate requests.
As they wrapped up their work, Rachel turned to Alex and said, "You know, sometimes I worry about the security of our own systems." callback-url-file-3A-2F-2F-2Fhome-2F-2A-2F.aws-2Fcredentials
[Attacker] │ ▼ (Sends OAuth request with malicious callback) [Vulnerable Web Application Server] │ ├─► (Validates auth, processes callback URI) ├─► (Lacks regex strict white-listing for schemes) │ ▼ (Server reads its own local storage via file:///) [Local File System: /home/user/.aws/credentials] │ ▼ (Server leaks AWS Access Keys back to the attacker) [Attacker Infrastructure]
This pattern is used in two common scenarios: # Vulnerable Python code import glob callback_url =
Let’s break down the keyword:
When configuring a callback URL for an AWS application: As they wrapped up their work, Rachel turned
: The URI scheme used to access local files on the server's disk rather than an external web address.
To understand how this attack works, it is necessary to parse the URL-encoded components of the target keyword:
– Even if the asterisk isn’t a true wildcard, an attacker might use it to bypass weak filters. For instance, a filter that blocks ../ might not block a wildcard that later gets resolved.