Search This Blog

Sunday 8 June 2014

Directory/Path Traversal Vulnerabilities

Path Traversal vulnerabilities occur when an application uses user-controllable data to access files and directories on the application server. A malicious user may be able to craft input that can cause content to be read or written from the filesystem.

To demonstrate this attack we will use the deliberately vulnerable application  bWAPP.  If you consider the example below, the application is returning a message to the client. The file that contains the message is specified as a query string parameter e.g. message.txt.


When the server processes the request it follows these steps:
  1. Extract the value of the filename parameter from the query string
  2. Appends the value to the prefix say C:\bWAPP\
  3. Opens the file with this name
  4. Reads the file's contents and returns it to the client
Again if the attacker can place path traversal strings into the filename then they may be able to backtrack up from the directory specified in step 2 and access files anywhere on the server. The path traversal sequence is known as "dot-dot-slash".

An attacker could insert the malicious string "../../../etc/passwd" to include the password hash file of a Linux/UNIX system.


It may also be possible to return configuration files.


When trying to find path traversal vulnerabilities look for request parameters that contain the name of a file or directory e.g. include=main.inc or template=/en/sidebar. Also any application functions whose implementation is likely to retrieve data from a server filesystem such as displaying of documents or images.

Path traversal attacks have been about for some time. It is common to find applications that implement various defenses against them, often based on input validation filters. But it may be possible to bypass these filters, here are some useful tips:

Try path traversal sequences using both forward slashes and back slashes. Many input filters check for only one of these, when the filesystem may support both.

URL encoding the traversal sequences 
Dot - %2e
Forward slash - %2f
Backslash - %5c

16-bit Unicode encoding
Dot - %u002e
Forward slash - %u2215
Backslash - %u2216

Double URL encoding
Dot - %252e
Forward slash - %252f
Backslash - %255c

Here is a useful cheat sheet that you can try Link