Directory Traversal: A Comprehensive Guide from Basics to Prevention
Directory Traversal vulnerability allows an attacker to access sensitive files or execute commands on the application server.
Medusa
8 mins
In 2018, a directory traversal vulnerability was discovered in the File Manager plugin for WordPress, which allowed attackers to upload and execute malicious files on vulnerable websites. The vulnerability was caused by a lack of sanitization of user input in the "path
" parameter of the plugin's code, which allowed attackers to traverse the server's directory structure and upload or execute files outside of the intended directory. This vulnerability affected over 700,000 websites and highlights the importance of implementing proper input validation and sanitization in web applications to prevent directory traversal attacks.
Overview of Directory Traversal
What is Directory Traversal?
How does directory traversal occur?
Examples
How to exploit it?
Prevention Measures
What is Directory Traversal?
Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to access files and directories outside the intended folder. This type of attack occurs when an application does not properly sanitize user input, which can include special characters that allow the attacker to "traverse" the server's directory structure. In the worst cases, the attacker can then access sensitive files or execute commands on the server. It is important for web developers to implement proper input validation and sanitization techniques to prevent these types of attacks.
Here are two examples of code vulnerable to Directory Traversal
PHP Vulnerable Code
This code takes a file name as an input from a user via the GET parameter "file
", and then includes the contents of that file within the PHP script. The file is included using an absolute file path that is hardcoded into the script.
Java Vulnerable Code
In both of these examples, the code is vulnerable to directory traversal attacks because it fails to properly sanitize user input before using it to construct a file path. An attacker can use "../
" characters to navigate up the directory tree and access files outside of the intended directory. For instance, if the attacker sets the "file
" parameter to "../../../../../etc/passwd
", the server will attempt to parse the user input, going back a few directories due to the "../
" notation. This sets the file parameter to the new user input value and includes the file "/path/to/files/../../../../../etc/passwd
". As a result, the attacker could view the contents of the sensitive file "passwd
".
If you would like to watch a video on this, check this out!
Directory Traversal in API Endpoint
Here's an example of an HTTP request and response in an API endpoint vulnerable to directory traversal:
HTTP Request:
In this example, the attacker is attempting to access the sensitive file "passwd
" by using "../
" characters to traverse the server's directory structure.
HTTP Response:
In this example, the server has responded with the contents of the "passwd
" file, which contains sensitive information about the server's users.
Proper input validation and sanitization can prevent these types of attacks by ensuring that the file path provided by the user does not contain any "../
" characters, and is limited to the intended directory.
Practical Demonstration
Target Application: PortSwigger Lab
The application is an e-commerce website that contains products and you can click on each product to see its details.
I’ve turned on my Burp Proxy and it is capturing requests behind the scenes. After exploring and clicking on some products, this is the proxy history I have in BurpSuite.
By default, you cannot view jpg requests. To filter jpg requests, you must use the filter settings in the HTTP history filter tab.
You can select the request with the path /image/filename=36.jpg
to fetch the photo for a specific product.
To exploit the system, send the request with the payload. ..../..../..../..../etc/passwd
to the repeater and change the filename value. The payload uses "../
" characters to navigate the server's directory structure and access sensitive files outside of the intended directory. In this case, the attacker is attempting to access the "passwd
" file located in the "/etc/
" directory, which contains sensitive information about the server's users. Proper input validation and sanitization can prevent these types of attacks by ensuring that the file path provided by the user does not contain any "../
" characters and is limited to the intended directory.
You may be wondering why I didn't use "../../../etc/passwd". The reason is that the application was truncating "..", so I used four dots to bypass this. If the initial payload is "..../," the backend will truncate ".." and the result will be "../". The backend will then process "../" to go back to one directory and show us the required result leading to successful exploitation.
The response displays the contents of the /etc/passwd
file, which should be kept confidential.
If an attacker gains access to the /etc/passwd file, they may obtain sensitive information about the server's users, such as usernames and hashed passwords. This information can then be used in further attacks, such as password cracking or phishing attempts.
In this case, a simple payload was used. If you are unsure about which payload to use and want to save time, you can try a fuzzing attack. Simply send the request to the repeater and mark the value you want to change in every subsequent request.
There are various directory traversal wordlists available. Once you have them, you can use Intruder or any other fuzzing tool to start the attack.
Prevention Measures Directory Traversal
Here are some preventative measures that can be implemented to protect against directory traversal attacks:
Input validation and sanitization: Ensure that all user input is properly validated and sanitized before being used in a file path or URL. This can include disallowing certain characters, encoding user input, and limiting the depth of directory traversal.
File system permissions: Set appropriate file system permissions to prevent unauthorized access to sensitive files and directories. This can include setting read and write permissions, as well as restricting access to certain users or groups.
Web server configuration: Configure the web server to prevent directory traversal attacks. This can include setting up access controls, disabling directory indexing, and using secure programming practices.
Use of frameworks and libraries: Use secure frameworks and libraries that have built-in protection against directory traversal attacks. This can include using functions that properly sanitize user input and limit directory traversal.
Regular updates and patches: Keep all software and applications up-to-date with the latest security patches and updates. This can help to prevent known vulnerabilities from being exploited.
By implementing these prevention measures, organizations can effectively protect against directory traversal attacks and ensure the security of their systems and data.
Keep reading
API Security
3 minutes
What is API Discovery?
API Discovery helps identify, map, and manage APIs within an organization, ensuring security, performance, and seamless integration across systems.
API Security
5 minutes
Top 10 DAST Tools in 2024
DAST tools secure web apps by identifying vulnerabilities through automated security testing.
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
Experience enterprise-grade API Security solution