- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
The Path Traversal attack technique (aka Directory Transversal) allows an attacker to access files, directories, and commands that potentially reside outside the root directory. Armed with access to application source code or configuration and critical system files, an attacker can manipulate a URL in such a way that the application will execute or reveal the contents of arbitrary files anywhere on the server. Any device or application that exposes an HTTP-based interface is potentially vulnerable to a Path Traversal attack.
Most websites restrict user access to a specific portion of the file system, typically called the "web document root" or "CGI root" directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file system, Path Traversal attacks will use the "../" special-character sequence to alter the resource location requested in the URL.
Path traversal attacks rely on two vulnerable elements: the web application code and the web server configuration. By taking care to avoid vulnerabilities in both areas, you can mitigate the majority of such attacks.
Vulnerable web applications use unvalidated user inputs in file names and paths and it is strongly recommended that file paths should not be accepted by user input. If you do need to take file names or paths from user inputs, ensure they are properly sanitized by whitelisting permitted names and/or characters. Blacklisting characters to filter out
../ and similar strings.On the web server side, ensure you are using up-to-date web server software.
Path Traversal is most common in upload and download functionality, but can occur whenever the site tries to load a file from the server via a parameter in the request. If a file path or filename appears in a parameter value you can test for path traversal, something like the URL below:
To test for path traversal attack, the attacker could try to access the system file /etc/passwd by visiting the URL:
If the application simply takes the value of the file parameter from the URL and passes it to a system call, it would traverse the relative path ../../etc/passwd and ask the system to load the password file.
Many applications that place user input into file paths implement some kind of defence against path traversal attacks, and these can often be circumvented. If an application strips or blocks directory traversal sequences from the user-supplied filename, then it might be possible to bypass the defence using a variety of techniques. These can include usingalternate encodings of the "../" sequence like%2e%2e%2fwhich may help bypass the security filters.
Path traversal exploits are one of the many ways hackers will try to get into your web applications. And of course, those bad guys are always coming up with clever modifications. Fortunately, our Service Delivery team is on top of things. If you want to stay abreast of secure development practices, this webinar is for you. In this webinar, team members from the application security engineering teams will explore what a path traversal exploit consists of, demonstrate a new way of exploiting a flaw in website application coding that allows a path traversal attack, and explain how to prevent such attacks through whitelisting and secure coding practices.