To demonstrate this attack we will use the deliberately vulnerable application bWAPP. If you consider the example below, the application is returning a message to the client. The file that contains the message is specified as a query string parameter e.g. message.txt.
When the server processes the request it follows these steps:
- Extract the value of the filename parameter from the query string
- Appends the value to the prefix say C:\bWAPP\
- Opens the file with this name
- Reads the file's contents and returns it to the client
An attacker could insert the malicious string "../../../etc/passwd" to include the password hash file of a Linux/UNIX system.
It may also be possible to return configuration files.
When trying to find path traversal vulnerabilities look for request parameters that contain the name of a file or directory e.g. include=main.inc or template=/en/sidebar. Also any application functions whose implementation is likely to retrieve data from a server filesystem such as displaying of documents or images.
Path traversal attacks have been about for some time. It is common to find applications that implement various defenses against them, often based on input validation filters. But it may be possible to bypass these filters, here are some useful tips:
Try path traversal sequences using both forward slashes and back slashes. Many input filters check for only one of these, when the filesystem may support both.
URL encoding the traversal sequences
Dot - %2e
Forward slash - %2f
Backslash - %5c
16-bit Unicode encoding
Dot - %u002e
Forward slash - %u2215
Backslash - %u2216
Double URL encoding
Dot - %252e
Forward slash - %252f
Backslash - %255c
Here is a useful cheat sheet that you can try Link
No comments:
Post a Comment