by peter

Share

Path Traversal Explained

Risk

Risk Rating: MEDIUM
Likelihood: 3/5
Impact: 3/5

Causes

  • Lack of Web Application firewall
  • Lack of monitoring
  • Poor coding

Path Traversal Overview

Path Traversal (also known as file directory traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

What you need to know about path traversal

The risk resulting from path traversal or directory traversal is information disclosure. The information could be as benign as being able to view random garbage files or it could be as serious as being able to access API and login credentials through a readable .git directory. Path traversal can be a critical issue for online merchants. If an attacker is able to recover card data or personally identifiable information then there is a serious breach to deal with.

Detecting the vulnerability should be relatively straight forward with good quality vulnerability scanning or web application penetration testing. If you are an online merchant then web application penetration testing should be included in your annual PCI-DSS penetration testing program.

Defending against path traversal / directory traversal attacks is all down to good server configuration security and good coding practices. If these are not present, then use of a web application firewall may present the attack from being successful.

How path traversal attacks happens

Path traversal attacks are very simple to execute and there are numerous open source tools to do exactly that. Tools such as FFuf and DirBuster are capable to automating massive amounts of traversal attacks using common wordlists, such as the SecLists collection.

Consider a shopping application that displays images of items for sale. Images are loaded via some HTML like the following:

<img src="/loadImage?filename=218.png">

The loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk in the location /var/www/images/. To return an image, the application appends the requested filename to this base directory and uses a filesystem API to read the contents of the file. In the above case, the application reads from the following file path:

/var/www/images/218.png

The application implements no defenses against directory traversal attacks, so an attacker can request the following URL to retrieve an arbitrary file from the server’s filesystem:

https://insecure-website.com/loadImage?filename=../../../etc/passwd

This causes the application to read from the following file path:

/var/www/images/../../../etc/passwd

The sequence ../ is valid within a file path, and means to step up one level in the directory structure. The three consecutive ../ sequences step up from /var/www/images/ to the filesystem root, and so the file that is actually read is:

/etc/passwd

On Unix-based operating systems, this is a standard file containing details of the users that are registered on the server.

On Windows, both ../ and .. are valid directory traversal sequences, and an equivalent attack to retrieve a standard operating system file would be:

https://insecure-website.com/loadImage?filename=......windowswin

Attack Sources

Web application attacks such as path traversal and directory traversal can originate from anywhere in the world. Attackers can easily mask their whereabouts so they can run series of enumeration and discovery attacks.