Parchive
Parchive's document archiving platform lets legal teams bundle case files into compressed archives. The archive name field has a filter — but not a complete one.
The Scenario
Parchive is a document-archiving SaaS founded in 2020 in Boston for mid-market law firms and audit shops, with seats starting at $89/month and a customer base of around 4,000 active reviewers. The bulk-export feature was rewritten last summer by a contractor who pushed back on the team's request for a whitelist, arguing it would break power-user filenames; the compromise was a small "obvious junk" check on the archive name field. A client flagged some unexpected behaviour in the export endpoint during a routine review.
Challenge Intel
Synopsis
A legal document SaaS whose archive export strips spaces but overlooks the shell variable that replaces them.
What It Is
Parchive's bulk export sends a user-supplied archive name directly into a shell tar command after stripping ASCII spaces. The filter is incomplete — the shell's internal field separator variable provides an alternative whitespace that bypasses the check entirely, letting you chain additional commands.
Who It's For
Testers who have completed a basic command injection and want to practise bypassing a simple character filter without complex encoding or out-of-band techniques.
Skills You'll Practice
- Basic command injection payloads
- Understanding of shell field separators and word splitting
- Reading shell error output to confirm code execution
- Iterating payload variations when a first attempt is filtered
What You'll Gain
- Hands-on experience with $IFS as a whitespace substitute
- A reusable filter-bypass technique applicable to many injection contexts
- Confidence testing shell character filters systematically
- Understanding of why blacklist filtering is fragile