Project: WASC Threat Classification
Threat Type: Attack
Reference ID: WASC-33
Path Traversal
The Path Traversal attack technique allows an attacker access to
files, directories, and commands that potentially reside outside the
web document root directory. An attacker may manipulate a URL in
such a way that the web site will execute or reveal the contents of
arbitrary files anywhere on the web server. Any device that exposes
an HTTP-based interface is potentially vulnerable to Path
Traversal.
Most web sites restrict user access to a specific portion of the
file-system, typically called the "web document root" or "CGI root"
directory. These directories contain the files intended for user
access and the executable necessary to drive web application
functionality. To access files or execute commands anywhere on the
file-system, Path Traversal attacks will utilize the ability of
special-characters sequences.
The most basic Path Traversal attack uses the "../"
special-character sequence to alter the resource location requested
in the URL. Although most popular web servers will prevent this
technique from escaping the web document root, alternate encodings
of the "../" sequence may help bypass the security filters. These
method variations include valid and invalid Unicode-encoding
("..%u2216" or "..%c0%af") of the forward slash character, backslash
characters ("..\") on Windows-based servers, URL encoded characters
"%2e%2e%2f"), and double URL encoding ("..%255c") of the backslash
character.
Even if the web server properly restricts Path Traversal attempts
in the URL path, a web application itself may still be vulnerable
due to improper handling of user-supplied input. This is a common
problem of web applications that use template mechanisms or load
static text from files. In variations of the attack, the original
URL parameter value is substituted with the file name of one of the
web application's dynamic scripts. Consequently, the results can
reveal source code because the file is interpreted as text instead
of an executable script. These techniques often employ additional
special characters such as the dot (".") to reveal the listing of
the current working directory, or "%00" NULL characters
in order to bypass rudimentary file extension checks.
Example
Path Traversal attacks against a web server
http://example/../../../../../etc/passwd
http://example/..%255c..%255c..%255cboot.ini
http://example/..%u2216..%u2216someother/file
Path Traversal attacks against a web application
Original: http://example/foo.cgi?home=index.htm
Attack: http://example/foo.cgi?home=foo.cgi
In the above example, the web application reveals the source code
of the foo.cgi file because the value of the home variable was used
as content. Notice that in this case the attacker does not need to
submit any invalid characters or any path traversal characters for
the attack to succeed. The attacker has targeted another file in the
same directory as index.htm.
Path Traversal attacks against a web application using
special-character sequences:
Original: http://example/scripts/foo.cgi?page=menu.txt
Attack: http://example/scripts/foo.cgi?page=../scripts/foo.cgi%00txt
In above example, the web application reveals the source code of
the foo.cgi file by using special-characters sequences. The "../"
sequence was used to traverse one directory above the current and
enter the /scripts directory. The "%00" sequence was used both to
bypass file extension check and snip off the extension when the file
was read in.
Reference
"CERT¨ Advisory CA-2001-12 Superfluous Decoding Vulnerability in
IIS"
[1] http://www.cert.org/advisories/CA-2001-12.html
"Novell Groupwise Arbitrary File Retrieval Vulnerability"
[2] http://www.securityfocus.com/bid/3436/info/
"Path Traversal" by Wikipedia
[3] http://en.wikipedia.org/wiki/Directory_traversal
"Path Traversal" CWE
[4] http://cwe.mitre.org/data/definitions/22.html
See Also "Null Byte Injection"
[5] http://projects.webappsec.org/Null-Byte-Injection
Comments (0)