Post

PortSwigger - Directory Traversal - Theory

Posted Updated
Preview Image
By Jaco Zwarts 2 min read

Introduction

Directory traversal or also known as file path traversal is a vulnerability that allows an attacker to read files on the server that is running the application.

Reference:
Rana Khalil Academy - Directory Traversal
PortSwigger - Path traversal
OWASP - Path traversal

Impact of Directory Traversal Vulnerabilities:

  • Unauthorized access to the application
    • Confidentiality - Allows you to read files on the system
    • Integrity - Some cases allow you to run commands and therefore alter files on the system.
    • Availability - Some cases allow you to run commands and therefore delete files on the system.
  • If the directory traversal vulnerability allows you to run commands, then you can get full execution on the server.

Finding directory traversal Vulnerabilities:

Black box testing:

  • Map application
  • Identify all instances where the web application appears to contain the name of a file or directory.
  • Identify all functions in the applications whose implementation is likely t involve retrieval of data from server filesystem.
  • Test identified instances with common directory traversal payloads and observe how the application responds.
  • Automate testing using a web application vulnerability scanner (WAVS)

White box testing:

  • Identify instances where user-supplied input is being passed to file APIs or as parameters to the operating system.
    • Identify instances in a running application first (black-box perspective) and then review the code responsible for that functionality.
    • Grep on functions in the code that are known to include and evaluate files on the server and review if they are user supplied input.
    • Use a tool to monitor all filesystem activity on the server. Then test each page of the application by inserting a single unique string. Set a filter in your monitoring tool for that specific string and identify all filesystem events that contain the string.
  • Validate potential directory traversal vulnerabilities on a running application.

Exploiting directory traversal vulnerabilities:

Regular case

1
2

../../../../../../etc/passwd
.\..\..\..\..\..\windows\win.ini

Absolute paths

1

/etc/passwd

Traversal sequences stripped non-recursively:

1

.. ../ /.. ../ /.. ../ / etc/passwd

Leaving us with: ../../../etc/passwd

  • Bypass traversal sequence stripped defense using URL encoding
  • Bypass start of path validation
    /var/www/images/../../../etc/passwd
  • Bypass file extension validation using null byte
    ../../../etcpasswd%00.png

Preventing directory traversal:

  • Avoid passing user-supplied input to filesystem APIs
  • Validate input compared to allow list of permitted values
  • Use filesystem APIs to canonicalize the path and verify that it starts with the expected base directory.
PortSwigger
directory-traversal bscp
This post is licensed under CC BY 4.0 by the author.