Path Traversal

What is a Path Traversal flaw?

The path traversal, or directory traversal attack is an attack affecting the server side of web applications.

Although not clearly stated in the OWASP Top 10, this vulnerability can lead to a flaw present in the top 10: Broken Access Control (A5:2017-Broken Access Control | OWASP)

The latter gives the possibility to a user to have access to data or functionalities outside his field of action, for example, the fact that a normal user can modify the profile of any other user while this action is supposed to be reserved for administrators only.

The path traversal vulnerability consists of manipulating HTTP parameters, most often in the query string, which means modifying the URL, in order to include sensitive folders or files in a web page.

Consequences of a Path Traversal vulnerability

The path traversal flaw has some serious consequences.

  • Data exfiltration: If the attacker succeeds in including folders containing sensitive files, he will be able to see their names and display their content, like a user and password list from the targeted system.
  • Access to restricted functionality: This flaw can also lead to the exploitation of other flaws:
  • Recovery of the site’s source code: In the case of a server running with PHP, the attacker can include the source code of the various pages and analyze them for other flaws.
  • Server analysis: By including files such as .htaccess, the attacker has the possibility to understand how the server is configured.

The consequences of a path traversal flaw depend very much on the server configuration.

What is a Path Traversal flaw?

The path traversal, or directory traversal attack is an attack affecting the server side of web applications.

Although not clearly stated in the OWASP Top 10, this vulnerability can lead to a flaw present in the top 10: Broken Access Control (A5:2017-Broken Access Control | OWASP)

The latter gives the possibility to a user to have access to data or functionalities outside his field of action, for example, the fact that a normal user can modify the profile of any other user while this action is supposed to be reserved for administrators only.

 

The path traversal vulnerability consists of manipulating HTTP parameters, most often in the query string, which means modifying the URL, in order to include sensitive folders or files in a web page.

Consequences of a Path Traversal vulnerability

The path traversal flaw has some serious consequences.

  • Data exfiltration: If the attacker succeeds in including folders containing sensitive files, he will be able to see their names and display their content, like a user and password list from the targeted system.
  • Access to restricted functionality: This flaw can also lead to the exploitation of other flaws:
  • Recovery of the site’s source code: In the case of a server running with PHP, the attacker can include the source code of the various pages and analyze them for other flaws.
  • Server analysis: By including files such as .htaccess, the attacker has the possibility to understand how the server is configured.

The consequences of a path traversal flaw depend very much on the server configuration.

How to exploit a Path Traversal flaw?

1 - Normal use of an online photo gallery

Let’s take a site that allows you to download images by assigning them a category to view them.

Loris, the attacker will be able to select an image and assign it a category in order to send it to the server.

Loris will then click on the “Sport” category that corresponds to the image he added.

The URL of the page then becomes

http://www.image-online.com?path=sport

The different images of this category will be displayed with the possibility to click on them to see them in a larger size.

2 - Path Traversal Test

Loris will now go to page “Sport” and modify the URL by changing “sport” of the path variable by “./ “.

“./” indicates the current folder.

http://www.image-online.com/?path=./

The page that appears shows the different categories that exist for an image:

Loris now knows that he is in the root folder of the different categories;

He has a good understanding of how the server works.

3 - Exploitation of the flaw

Loris’ goal is to find out how to use this path traversal to perform actions as an administrator.

The tree structure he currently knows is the following:

By taking only the path variable and changing its value by ../, which indicates a backward movement in the tree, Loris ends up with different file and folder names.

We can see a “Users” folder and by replacing “../” by “../Users” Loris finds himself with a list of files that seem to relate to different users:

By changing the URL of the page by http://www.image-online.com/Users/Paul.txt, Loris recovers all his information stored in hard disk, including his password.

He only has to authenticate himself with his information to have an admin account.

OWASP Recommendations

The Open Web Application Security Project (OWASP) provides a guide to avoid path traversal vulnerabilities. We will summarize here the different options available to a developer.

  • Avoid using user entries to include local files: This prevents a user from being able to test a path traversal flaw.
  • Accept only predefined values: This can be executed by a series of conditions in the server-side code.
  • In this case it is necessary to escape user entries in order to avoid path traversal patterns. (such as “../” for example)

R&S®Cloud Protector vs Path Traversal

To prevent exploitation of path traversal flaws, R&S®Cloud Protector has an effective method:

  • Malicious pattern detection: R&S® Cloud Protector automatically detects the patterns used in path traversal to block and redirect malicious requests
  • Decryption of multiple encodings: R&S®Cloud Protector can transform encoded characters in order to verify them.

With the translation above we can understand that %252e%252e%252f will give %2e%2e%2f and then ../

Request your 14 days free trial

It takes only 60 seconds to protect your websites and applications.
What are you waiting for?