{"id":18551,"date":"2017-08-04T14:42:21","date_gmt":"2017-08-04T18:42:21","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=18551"},"modified":"2017-08-04T14:42:59","modified_gmt":"2017-08-04T18:42:59","slug":"using-a-downloaded-html-file-to-steal-files-from-a-mac","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2017\/08\/04\/using-a-downloaded-html-file-to-steal-files-from-a-mac\/","title":{"rendered":"Using a Downloaded HTML File to Steal Files From a Mac"},"content":{"rendered":"<p><a href=\"https:\/\/lab.wallarm.com\/hunting-the-files-34caa0c1496\">Anton Lopanitsyn<\/a> (via <a href=\"https:\/\/twitter.com\/felix_schwarz\/status\/893123469847744514\">Felix Schwarz<\/a>):<\/p>\n<blockquote cite=\"https:\/\/lab.wallarm.com\/hunting-the-files-34caa0c1496\"><p>Interestingly, . <code>DS_Store<\/code> can easily be parsed to get the names of all the files on in the catalog. [&#8230;] And this means that, with this information, we can now recursively call .DS_Store to get the complete hierarchy of files on my computer&#x200A;&mdash;&#x200A;all without authorized access to any of the directories.<\/p><p>[&#8230;]<\/p><p>We know that in the Chrome browser, reading local files is not that straightforward. The only way to do that is to launch Chrome with a special argument (&#x200A;&mdash;&#x200A;disable-web-security).<\/p><p>Safari also warns that it can&rsquo;t work with the local files: such as <code>file:\/\/<\/code><\/p><p>HOWEVER, if the file has originally been downloaded from the internet, Safari is a lot more permissive towards this kind of requests. Thus one can send XHR request to a local file and get back its content [&#8230;] &#8230;if a file is local&#x200A;&mdash;&#x200A;you get access!<\/p><p>Knowing this Safari idiosyncrasy, with a full path name we can load the complete file content and upload it to an external server.<\/p><\/blockquote>\n<p>It seems like Safari&rsquo;s <a href=\"https:\/\/support.apple.com\/kb\/PH21491?viewlocale=en_US&amp;locale=en_AE\">Local File Restrictions<\/a> should cover <code>XMLHttpRequest<\/code> in addition to <tt>file:<\/tt> URLs.<\/p>","protected":false},"excerpt":{"rendered":"<p>Anton Lopanitsyn (via Felix Schwarz): Interestingly, . DS_Store can easily be parsed to get the names of all the files on in the catalog. [&#8230;] And this means that, with this information, we can now recursively call .DS_Store to get the complete hierarchy of files on my computer&#x200A;&mdash;&#x200A;all without authorized access to any of the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[346,30,1381,355,103,48,96],"class_list":["post-18551","post","type-post","status-publish","format-standard","hentry","category-technology","tag-javascript","tag-mac","tag-macos-10-12","tag-privacy","tag-safari","tag-security","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/18551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=18551"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/18551\/revisions"}],"predecessor-version":[{"id":18553,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/18551\/revisions\/18553"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=18551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=18551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=18551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}