- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Glossary
The Directory Traversal attack (also known as a Path Traversal attack) allows an attacker access to files, directories, and commands that are stored outside the root directory.
Directory Traversal is an injection attack that takes advantage of the fact that all but the simplest web applications include local resources such as images, themes, other scripts, and more.
Every time a resource or file is included by the application, there is a risk that an attacker may be able to include a file or remote resource that hasn’t been authorized.
Basic Path Traversal attack uses the "../" special-character sequence to alter the resource location requested in the URL. If an attacker is able to perform directory traversal on the site, in some cases, they might be able to read or write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.
During a penetration test the user discovers a following URL:
www.example.com/index.php?file=coolimage
This tells us that information is being loaded from a file ‘coolimage’ The tester will use injection attack of the following “../../../../../../etc/password”
This if the application is vulnerable then the server will navigate back to the root folder and then search for the file “etc/password” it will then load the content of the file in the http response showing the password file.
To remediate against these attacks below are some steps that will help prevent it listed from OWASP
Prefer working without user input when using file system calls
Use indexes rather than actual portions of file names when templating or using language files (i.e. value 5 from the user submission = Czechoslovakian, rather than expecting the user to return “Czechoslovakian”)
Ensure the user cannot supply all parts of the path – surround it with your path code
Validate the user’s input by only accepting known good – do not sanitize the data