Directory Traversal

---

Directory traversal is an application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.

• aka file path traversal
• type of injection attack performed against a web server
• gain access to the file system outside of the web server’s structure where content is stored
• attacker may read or write files to the operating system
  • When writing files
    • attacker seeks to modify the operation of the server in a way that allows them to take control of it

Example

browsing to https://www.vulnerablewebserver.com/../../../etc/passwd on a vulnerable server would display the contents of the /etc/password file.

This URL asks the web server to move in the file system in this fashion:

1. From /var/www/html (where web content is normally stored)
2. To /var/www
3. Then to /var
4. Then to / (the root directory)
5. Then back down to /etc
6. Then to display the contents of /etc/passwd

How it Works

In Short

• threat actor submits a request for a file outside the web server’s root directory
  • by submitting a path to navigate to the parent directory ( ../ )
• can succeed if:
  • the input is not filtered properly
  • and access permissions on the file allow the web server’s process to read, write, or execute it

Detailed

• Web server software runs from well-known file system locations

  • on Linux: /var/www

• when a website contains HTML similar to <img src="/loadImage?filename=mountains.png">

• means that the actual location of the file is likely /var/www/images/mountains.png

• web application retrieves the image file by requesting it from the operating system

• attacker can exploit this interaction by replacing the loadImage filename with something else

  • e.g., <img src="/loadImage?filename=../../../etc/passwd">
  • would be input to the web application via the URL visible in the browser
  • https://www.foo.com/loadImage?filename=../../../etc/passwd

• result of this action would be for the content of the /etc/passwd file to be provided to the attacker

• Another important variation of the directory traversal file path sequence is:

  • to use URL encoding to obscure the characters ../../
  • replacing them with their URL encoded equivalents %2E%2E%2F%2E%2E%2F
    • %2E represents . 
    • %2F represents /

• attack works for Windows operating systems as well

  • Windows Server uses C:\inetpub\wwwroot as the root of web application files

Canonicalization Attack

Canonicalization attack is an attack method where input characters are encoded in such a way as to evade vulnerable input validation measures.

• used to disguise the nature of the malicious input
• Canonicalization refers to the way the server converts between the different methods by which a resource may be represented and submitted to the simplest (or canonical) method used by the server to process the input
• encoding scheme examples:
  • HTML entities
  • character set percent encoding
• attacker might be able to exploit vulnerabilities in the canonicalization process to perform code injection or facilitate directory traversal

Example of usage to perform Directory Traversal

• attacker might submit a URL such as the following :

http://victim.foo/?show=../../../../etc/config

• A limited input validation routine would prevent the use of the string ../ and refuse the request
• If the attacker submitted the URL using the encoded version of the characters
  • might be able to circumvent the validation routine:

http://victim.foo/?show=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/config

Mitigation

• input validation
• strict access controls and file permissions
• configure the web server to only retrieve files with preconfigured file extensions
• configure the file server to block traversal sequences
  • such as ../../
  • This approach can be bypassed by using the null byte or URL encoded character %00
    • essentially tells the application to stop reading and proceed
    • e.g.,
      • https://www.foo.com/loadImage?filename=../../../etc/passwd%00.png