What is Path Traversal?
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, an attacker can access other files on the server. This may include confidential files, sensitive system files, or files containing passwords.
A successful path traversal attack can give an attacker unauthorized access to sensitive information, potentially leading to data breaches or system compromises. In some cases, an attacker may be able to modify files on the server, which could allow them to inject malicious code that would be executed the next time the file is accessed. Alternatively, an attacker could use the ability to modify files in order to destroy the availability of data. All in all, path traversal can affect all 3 concepts of the CIA triad (confidentiality, integrity, and availability).
Path traversal attacks are also often used in conjunction with other attacks, such as cross-site scripting (XSS), cross-site request forgery (CSRF), or SQL injection, to maximize the impact of the attack.
Path traversal attacks are also known as “directory climbing attacks”, “directory traversal vulnerabilities”, “dot-dot-slash attacks”, “directory climbing vulnerabilities”, “backtracking”, or “../” traversal.
The terms “absolute path traversal” and “relative path traversal” are often used to describe this attack. In an absolute path traversal attack, the attacker has knowledge of the file system structure and can specify the exact location of the file or directory that he wants to access. In a relative path traversal attack, the attacker does not have knowledge of the file system structure and can only specify the relative locations of files or directories.
Preventing path traversal attacks requires proper input validation. All user-supplied input should be carefully sanitized to remove any potentially harmful characters, such as “../”. In addition, proper access control measures should be in place to restrict access to sensitive files and directories.
The path traversal vulnerability is formally defined by Mitre in CWE-22 through CWE-35. In the latest OWASP Top-10 2021, path traversal is included along with other vulnerabilities such as forced browsing and file inclusion in the “A1:2021-Broken Access Control” category.
Path Traversal Examples
Example 1:
The following application allows users to fetch resources with requests to the following URL:
https://example.com/get-file.jsp?file=report.pdf
In this example, it is possible to insert a malicious string into the “file” parameter in order to access files located outside of the web root directory. In this case, the exploit could look as follows if the attacker is trying to read the /etc/password *NIX file:
https://example.com/get-file.jsp?file=../../../../../../../etc/passwd
Example 2:
In this example, it is possible to obtain CGI source code from the server:
http://example.com/cgi-bin/main.cgi?file=main.cgi
While the above examples illustrate path traversal in URL parameters, this vulnerability can found in other locations also such as: request headers and/or cookies, POST request body parameters, other non-HTTP protocols such as misconfigured FTP servers. As path traversal can lead to complete server compromise in many cases, it is often considered a high or critical risk vulnerability.
Path Traversal FAQ
How does a Path Traversal vulnerability happen?
Path traversal occurs because of insufficient filtering or validation of input from users. Typically, it occurs due to users being able to modify variables that reference files with “dot-dot-slash (../)” sequences and their variations. It can also occur in other scenarios such as in cases where users are able to specify absolute file paths in variables.
How does a Path Traversal differ from Directory Traversal?
These are the same vulnerability. Directory traversal is a different name for path traversal.
How does a Path Traversal differ from File Inclusion?
Path traversal vulnerabilities often get confused with file inclusion mainly because both vulnerabilities are similar in the fact that files that should not be are “accessed” by an attacker. The main difference between a directory traversal or path traversal and the file inclusion vulnerabilities is the ability to execute the resources accessed. In directory traversal, the resource is only read while in file inclusion it is also executed.
Is Path Traversal limited to web applications?
No. Path traversal can be found in other protocols and software. For example, it can occur in misconfigured FTP servers.
Can BB-SEC help me prevent directory traversal vulnerabilities in my applications?
Yes! BB-SEC offers penetration testing services as well as static and dynamic code analysis that tests for path traversal vulnerabilities. Schedule a free consultation to see how BB-SEC can help you maintain your applications and software free of such vulnerabilities.
Path Traversal Prevention
The best way to prevent path traversal attacks is to never trust user input for file paths and files names. If user input must be used, and if it is possible, it should be validated against a whitelist so that only “known good” input is accepted.
If it is not possible to be validated against a whitelist, it should be at minimum validated to remove or block any input that could be used as part of a path traversal attack. This means that all characters that could be used to manipulate file paths should be removed or escaped. For example, when using PHP, the realpath() function can be used to canonicalize a path and remove any “dot-dot-slash (../) ” sequences or its variations.
Additionally, where appropriate, use indexes rather than actual portions of file paths or names when using language files or templating. For example, instead of trusting the user input of “French” and inserting it directly into language file path/name, have the value translated into something like “3” and use that for file name (or the other way around) so that the user input is not directly added.
Additionally, the system on which the application server runs needs to be hardened to prevent attacks. Permissions should be configured so that even if an attacker gains the permissions of the application process by compromising it, they do not have superuser permissions or permissions to read sensitive files outside of the web root. Sensitive files and directories should never be stored in locations that can be accessed by users or a compromised web server user. For example, if an application needs to store sensitive information in a configuration file, that file should be stored in a location outside of the webroot and with hardened permissions.
Penetration testing and vulnerability scans such as those offered by BB-SEC should be performed to detect vulnerabilities such as directory traversal. BB-SEC offers penetration testing services as well as static and dynamic code analysis that tests for path traversal vulnerabilities. Schedule a free consultation to see how BB-SEC can help you maintain your applications and software free of such vulnerabilities.
