View
 

Path Traversal

Page history last edited by Robert Auger 1 year, 11 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-33

 

Path Traversal

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

 

Most web sites restrict user access to a specific portion of the file-system, typically called the "web document root" or "CGI root" directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file-system, Path Traversal attacks will utilize the ability of special-characters sequences.

 

The most basic Path Traversal attack uses the "../" special-character sequence to alter the resource location requested in the URL. Although most popular web servers will prevent this technique from escaping the web document root, alternate encodings of the "../" sequence may help bypass the security filters. These method variations include valid and invalid Unicode-encoding ("..%u2216" or "..%c0%af") of the forward slash character, backslash characters ("..\") on Windows-based servers, URL encoded characters "%2e%2e%2f"), and double URL encoding ("..%255c") of the backslash character.

Even if the web server properly restricts Path Traversal attempts in the URL path, a web application itself may still be vulnerable due to improper handling of user-supplied input. This is a common problem of web applications that use template mechanisms or load static text from files. In variations of the attack, the original URL parameter value is substituted with the file name of one of the web application's dynamic scripts. Consequently, the results can reveal source code because the file is interpreted as text instead of an executable script. These techniques often employ additional special characters such as the dot (".") to reveal the listing of the current working directory, or "%00" NULL characters in order to bypass rudimentary file extension checks.

 

Example

Path Traversal attacks against a web server

http://example/../../../../../etc/passwd
http://example/..%255c..%255c..%255cboot.ini
http://example/..%u2216..%u2216someother/file

 

Path Traversal attacks against a web application

 Original: http://example/foo.cgi?home=index.htm
 Attack: http://example/foo.cgi?home=foo.cgi

 

In the above example, the web application reveals the source code of the foo.cgi file because the value of the home variable was used as content. Notice that in this case the attacker does not need to submit any invalid characters or any path traversal characters for the attack to succeed. The attacker has targeted another file in the same directory as index.htm.

 

Path Traversal attacks against a web application using special-character sequences:

Original: http://example/scripts/foo.cgi?page=menu.txt
Attack: http://example/scripts/foo.cgi?page=../scripts/foo.cgi%00txt

 

In above example, the web application reveals the source code of the foo.cgi file by using special-characters sequences. The "../" sequence was used to traverse one directory above the current and enter the /scripts directory. The "%00" sequence was used both to bypass file extension check and snip off the extension when the file was read in.

 

Reference

"CERT¨ Advisory CA-2001-12 Superfluous Decoding Vulnerability in IIS"

[1] http://www.cert.org/advisories/CA-2001-12.html

 

"Novell Groupwise Arbitrary File Retrieval Vulnerability"

[2] http://www.securityfocus.com/bid/3436/info/

 

"Path Traversal" by Wikipedia

[3] http://en.wikipedia.org/wiki/Directory_traversal

 

"Path Traversal" CWE

[4] http://cwe.mitre.org/data/definitions/22.html

 

See Also "Null Byte Injection"

[5] http://projects.webappsec.org/Null-Byte-Injection

Comments (0)

You don't have permission to comment on this page.