· security · 5 min read

Directory Traversal Attack

Directory traversal attacks are subtle information gathering techniques exploiting poor server configurations to expose files that are not meant to be publicly accessible on a server.

Directory traversal attacks are subtle information gathering techniques exploiting poor server configurations to expose files that are not meant to be publicly accessible on a server.

What are directory traversal attacks?

Directory traversal attacks, also known as path traversal attacks or ../ (dot dot slash) attacks, are a type of security vulnerability where an attacker can access unauthorized directories and files on a web server. These attacks typically exploit insufficient input validation or improper handling of user input by a web application. It involves manipulating file paths to navigate through the entire directory structure of a web server.

Understanding Directory Traversal

When accessing a web page, you will normally input the address on the URL bar. A look at a regular URL like

https://www.example.com/

would normally serve the main homepage of the website. In order to understand directory traversal, lets begin dissecting the URL above so that we can tell how the attack works. The https stand for the scheme used. www.example.com is the host. In other words, it is a domain name that will be mapped to an IP address by the DNS service. In this case, the IP address where the server we want to access files is located.

After this point, if we need to go to different locations on the website, we would have to add extra paths to the URL so that the server can give us access to those files. Let’s take for example a website that has been built using PHP, the main homepage would be served from a file named index.php If we want to go to another page we might have to alter the URL to access the page. Using https://www.example.com/about.php would serve the file named about.php if it exists on the server.

In a situation where the file is not present on the server, an error 404 is returned to the user to indicate that the file is not available on the server. Having this knowledge, an individual can decide to see what files are present on the server. You can begin by simply guessing names and seeing what it returns. Should you get a 404 error, you rule out the possibility of the file existing.

Steps to perform directory Traversal Attacks

The main aim of directory traversal is to obtain information beyond what the developer of a web application intended. The simplest way to do it is to begin by analyzing the code of a website. Press Ctrl + U on the keyboard to expose the front end code of the website. Look for the following information to get you started:

  • location of stylesheets and scripts
  • location of images
  • structures of dynamic links
<link rel="stylesheet" type="text/css" href="/styles/app.css">
<img src="/pics/image.png">
<script src="/js/app.js"></script>

The above information reveals that stylesheets are located in a folder named styles, images are located in pics, and Javascript files are located in js. However, there is nothing much that can be done here except getting a list of all image files located in pics if we navigate to https://example.com/pics and the server has been configured to allow directory listing. If not, we will get an error or a white screen.

However, supposing you notice something like this, then directory traversing might be possible.

<a src="/view?file=./pics/image.png">View Image</a>

Navigate to https://www/example.com/view?file=./pics/1.png to access the image. You can then begin to do directory traversal from there if the site is vulnerable. Navigating to https://www/example.com/view?file=./styles/app.css would load the stylesheet instead of the image. From there, you can read files on the server as long as you know where they are located.

Navigating to https://www/example.com/view?file=/etc/passwd might reveal sensitive information never intended for the public. Depending on the way the code is vulnerable, different techniques might help you to get access to server files. You can traverse directories and files using

../../etc/passwd # No validation at all present
..../..../etc/passwd # In case validation is not done correctly to remove the ..
../../etc/passwd%00 # Using a null byte in case the application needs file extension

There are many ways to trick a vulnerable system and traverse its directories using tools like

  1. FFUF https://github.com/ffuf/ffuf
  2. Burp Suite https://portswigger.net/burp/communitydownload

among a majority of others. The true impact of directory traversal is the leakage of sensitive information that may lead to theft of sensitive user data.

Detection and Prevention

Take a look at the following vulnerable piece of code

<?php

$file = $_GET['file'];

include($file);

Preventing path traversal vulnerabilities is most efficiently achieved by refraining from passing user-supplied input to filesystem APIs. Many functions within applications that engage in this practice can be restructured to achieve the same outcomes in a more secure manner.

In cases where it is unavoidable to pass user-supplied input to filesystem APIs, it is advisable to implement a two-tiered defense strategy to thwart potential attacks:

Firstly, validate the user input before processing it. It is recommended to compare the input against a whitelist of authorized values whenever possible. If this is not feasible, ensure that the input exclusively contains accepted content, such as limiting it to alphanumeric characters.

Following the validation of the supplied input, append it to the base directory and employ a platform filesystem API to standardize the path. Subsequently, verify that the canonicalized path indeed commences with the anticipated base directory to enhance security measures

You might correct the vulnerable code above with the following modification

<?php
// Assuming files are located in a specific directory
$baseDirectory = '/path/to/your/files/';

// Get the user-supplied file parameter
$file = $_GET['file'];

// Validate and sanitize the input
$allowedFiles = ['file1', 'file2', 'file3']; // List of allowed files

if (in_array($file, $allowedFiles)) {
    // Construct the full path to the file
    $filePath = $baseDirectory . $file;

    // Include the file
    include($filePath);
} else {
    // Invalid file, handle accordingly (e.g., log, display an error, etc.)
    echo "Invalid file specified.";
}

There is also another way that you can do this but that calls for a developer’s creativity as long as you stick to proper input validation.

Conclusion

Always ensure that user supplied values are properly sanitized to prevent exposing your web application to vulnerabilities. Safe coding practises go a long way in preventing headaches and having to do brand damage control. Always write quality code, and pentest your application before deploying it for production.

You can get in touch with us for application pentesting services to help mitigate bugs and vulnerabilities in your code.

Share:
Back to Blog