Directory Traversal
Directory Traversal
Definition:
Directory traversal is a type of attack where an attacker tries to access files and directories that are stored outside the web root folder. By manipulating variables that reference files or using ".." sequences and its variations, an attacker can access arbitrary files and directories stored on the file system, potentially leading to sensitive information disclosure.
Key Points:
The goal is to exploit insufficient security validation/sanitization of user-supplied input file names.
Attackers usually employ ".." to navigate up directories.
It can be used to read application source code, configuration files, system files, or even execute arbitrary code in certain circumstances.
Attack Scenario:
An application allows users to view files (e.g., "view.php?file=filename.txt").
Instead of a legitimate file, the attacker provides a path like "../../../etc/passwd" to navigate out of the intended directory and read a sensitive file.
Example Attack:
bashhttp://example.com/view.php?file=../../../etc/passwdCommon Targets:
File viewing or downloading functionalities.
File upload features (trying to overwrite critical files).
Log viewing utilities.
Any feature that interacts with the file system based on user input.
Mitigation:
User Input Validation:
Reject any file path input containing "..", "./" or any other suspicious characters or sequences.
Use regular expressions for strict filtering.
Use a Secure Default Path:
Use a constant, application-defined prefix for file paths. Append user input to this prefix after validation, ensuring you never move "up" in directories.
Disallow Absolute Paths:
Only accept relative file names from users, not absolute paths.
Use a Mapping:
Instead of using actual file paths based on user input, map identifiers to file paths on the server side.
Limit User Permissions:
Run applications with the least privilege necessary. This way, even if an attacker can perform directory traversal, they can't access sensitive files.
Use Platform APIs:
Utilize platform-provided APIs to open and read files, as these often have built-in protections against directory traversal.
Implement Web Application Firewall (WAF):
A WAF can often detect and block directory traversal attacks based on known patterns.
Regular Code Reviews:
Periodically review code, especially parts that deal with file input/output, to ensure no potential directory traversal vulnerabilities are introduced.
Bypass Techniques:
Attackers employ various tricks to bypass naive directory traversal protections:
Double URL Encoding:
Encoding characters like ".." to bypass filters. For instance, ".." can be URL encoded as "%2E%2E".
Using Alternate Encodings:
Using UTF-16 or other character encodings to represent traversal sequences.
Mixing Unicode and Wide Character Formats:
By mixing these formats, attackers might bypass simple filters.
Overlong UTF-8 Encoding:
Using more bytes than necessary in UTF-8 encoding to represent a character, potentially bypassing filters.
Case Variation:
Mixing case (e.g., "..", "..", "..") to bypass case-sensitive filters.
Null Byte Injection:
Appending a null byte ("%00") to the traversal sequence, attempting to trick the application into seeing only the part before the null byte.
Using Forward Slashes on Windows:
Windows servers might interpret forward slashes ("/") as directory delimiters. If a filter only checks for backslashes ("\"), this could be a bypass.
Conclusion:
Directory traversal attacks can leak sensitive information or even lead to code execution in some contexts. By understanding the methods used by attackers and diligently applying layered protections, developers can safeguard their applications against this vulnerability. Regular testing, code reviews, and being aware of potential bypass techniques are crucial for robust security against directory traversal attacks.
Last updated