Connect with us

Hi, what are you looking for?


Application Security

Reflected File Download: New Attack Vector Enables File Downloads Without Upload

In most Web attacks, malware is downloaded to victims’ machines from a malicious or a compromised server. However, a researcher has uncovered a new attack vector where the malicious file is downloaded without actually being uploaded anywhere.

In most Web attacks, malware is downloaded to victims’ machines from a malicious or a compromised server. However, a researcher has uncovered a new attack vector where the malicious file is downloaded without actually being uploaded anywhere.

Trustwave researcher Oren Hafif will present the new Web attack vector, which he calls Reflected File Download (RFD), at the Black Hat Europe security conference that takes place later this week in Amsterdam, the Netherlands.

RFD, which according to the researcher can be exploited even by less skilled hackers, targets both Web applications and Web-based APIs that don’t deal correctly with user input and don’t set content types correctly in the response. An attacker only needs to find an API that accepts user controlled input and reflects it into the response. The attack is called Reflected File Download because the malicious file is not actually hosted on the targeted website, but instead it’s reflected from it.

Similar to other types of Web attacks, such as cross-site scripting (XSS), RFD requires that the victim clicks on a maliciously crafted link, an action which results in a piece of malware being downloaded to the targeted computer.

According to the researcher, this type of attack is dangerous because the URL created by the attacker points to trusted websites, such as and Hafif says he has identified at least 20 high-profile websites that are vulnerable to RFD attacks.

When the victims click on the maliciously crafted link, the Web browser sends a request to the vulnerable website, which in turn sends back a response that’s saved by the browser on the victim’s computer as a file. The attacker can set the name of the malicious file in the URL that he sends to the victim.

Hafif told SecurityWeek in an interview that cybercriminals could trick users into clicking on the link by making it look like an update for a popular application, such as Google Chrome. Since the URL, which looks something like “;/ChromeSetup.bat;“, points to a legitimate Google domain, the victim doesn’t suspect that the file they are downloading and executing is not actually an update, but a piece of malware.

Advertisement. Scroll to continue reading.

“The attacker is getting the equivalent access as if he could upload malicious files to the server, but without uploading those files,” the researcher said.

On more recent versions of Windows, when users try to execute a file from an unknown publisher, they are presented with a security warning message. However, the researcher has found a way to bypass this security mechanism so there isn’t any warning when the victim executes the downloaded file. The secret to getting Windows not to display the security warning lies in the file name, Hafif said.

Once the malware is installed on the system, it can perform a wide range of tasks with administrator privileges, on the operating system level. For example, an attacker can execute OS commands that allow him to install other malware, steal data from the victim’s browsing session, or gain complete control over the targeted device. An attacker can also execute malicious OS scripts, and exploit vulnerabilities in other software installed on the compromised machine.

To demonstrate the seriousness of such an attack, the researcher developed a worm that spreads through social media networks such as, Facebook, Google+, Twitter and LinkedIn. The worm hooks itself into the browser and controls it with the aid of command line flags that can completely disable Web security features. The malware can then access any website and impersonate the user on it. This allows it to spread the malicious link on all the social networks and email accounts the victim is connected to.

Google and Bing were informed of the existence of the vulnerability in late March. Bing fixed the issue on the same day, but it took Google approximately three months to address the flaw on most of its domains. The researcher said the flaw can be addressed by using secure coding practices and secure configurations.

Hafif told SecurityWeek that while this isn’t a JSON-specific attack, JSON technologies are highly vulnerable. The researcher says websites utilizing JSON or JSONP APIs are very likely to be vulnerable to RFD attacks.

While he hasn’t seen or heard of any attacks leveraging the method, the researcher says it’s likely to happen considering that RFD is under everyone’s radar.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...