In this chapter, we are going to learn about directory travesal vulnerabilities.
|Type of vulnerability:||Server-Side|
|Chances to find:||Common; Directory Traversal is part of “Broken Access Control” ranked #1 in the “OWASP Top-10 Vulnerabilities“|
|TL;DR:||A Directory Traversal vulnerability enables an attacker to access the target server’s file system, reading / manipulating files without permission|
What is Directory Traversal?
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”. (src: OWASP)
Let’s have a look at an example server running a web application that allows to store and retrieve images to share them with your family! The file system of the server looks like this:
[only parts shown] /etc/ |__passwd [...] /var/ |__/www/ |__/images/ |__image_1.png |__image_2.png |__image_3.png
In this rudimentary depiction of a file system above, you can see that all images are getting stored under /var/www/images/. If the web application does not perform user input sanitisation and/or if the web server has no access control policies in place, an attacker could now try to read the /etc/passwd file.
Let’s assume the web app offers a simple portal where the user sees the file names of all their images. If she clicks on a specific image, the picture is shown.
An example HTTP request sent to the server to display that image could look like this:
GET /images/display?imageName=image_1.png HTTP/1.1 Host: example.com
If an attacker would now intercept the request exchanging the file name with ../../../etc/passwd, he could potentially end up with the confidential content displayed in the browser.
Directory Traversal vulnerabilities typically in result in so-called Local File Inclusion (LFI) vulnerabilities. These two terms are sometimes used interchangeably with the result being the disclosure of sensitive information. The example in the paragraph above would be considered an LFI vulnerability.
However, successful attacks can also lead to Cross-site scripting (XSS), Remote Code Execution (RCE) and even full system compromise. It heavily depends on how the web server is configured (e.g. file system access controls) and on the web application’s functionality (e.g. possibility to read / manipulate files).
How to prevent Directory Traversal?
There are multiple ways to defend against directory traversal vulnerabilities. We will have a look at the most common ones in this list (keep in mind that it is always recommend to use multiple layers of defense):
- Restrict using user input in API calls resulting in file system access
- If user input is needed, make sure to include a web root directory which acts as the root directory for the web server (disallowing access on a higher directory level)
- Sanitise user input to strip unwanted characters (such as ../)
- Implement a white list allowing access to certain paths and files only
Let’s have a look at a video example of a Directory Traversal vulnerability:
One more video looking into additional Directory Traversal exploitation techniques:
Following links are valuable to learn more about Directory Traversal:
- Directory Traversal overview and free labs by Portswigger
- Directory Traversal testing guide by OWASP
- Directory Traversal CWE classification
Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.