Path traversal vulnerabilities arise when the application uses user-controllable data to access files and directories on the application server or another backend filesystem in an unsafe way. By submitting crafted input, an attacker may be able to cause arbitrary content to be read from, or written to, anywhere on the filesystem being accessed.
This often enables an attacker to read sensitive information from the server, or overwrite sensitive files, ultimately leading to arbitrary command execution on the server.
Path traversal flaws are sometimes subtle to detect, and many web applications implement defenses against them that may be vulnerable to bypasses. I will describe all the various techniques you will need, from identifying potential targets, to probing for vulnerable behavior, to circumventing the application’s defenses, to dealing with custom encoding.
Locating Targets for Attack
You should have identified any obvious areas of attack surface in relation to path traversal vulnerabilities. Any functionality whose explicit purpose is uploading or downloading files
should be thoroughly tested. This functionality is often found in work flow applications where users can share documents, in blogging and auction applications where users can upload images, and in informational applications where users can retrieve documents such as ebooks, technical manuals, and company reports.
Review the information gathered during application mapping to identify the following:
-Any instance where a request parameter appears to contain the name of a file or directory, such as include=main.inc or template=/en/sidebar.
-Any application functions whose implementation is likely to involve retrieval of data from a server filesystem, such as the displaying of office documents or images.
During all testing you perform in relation to every other kind of vulnerability, look for error messages or other anomalous events that are of interest. Try to find any evidence of instances where user-supplied data is being passed to file APIs or as parameters to operating system commands.
Detecting And Exploiting Path Traversal Vulnerabilities
After identifying the various potential targets for path traversal testing, you need to test every instance individually to determine whether user-controllable data is being passed to relevant filesystem operations in an unsafe way.
For each user-supplied parameter being tested, determine whether traversal sequences are being blocked by the application or whether they work as expected.
If the application function you are attacking provides read access to a file, attempt to access a known world-readable file on the operating system in question. Submit following values as the filename parameter you control: ../../../../../../../../../../../../etc/passwd
Always try path traversal sequences using both forward slashes and backslashes. Many input filters check for only one of these, when the filesystem may support both.
If the application is attempting to sanitize user input by removing traversal sequences and does not apply this filter recursively, it may be possible to bypass the filter by placing one sequence within another. For example:
You can exploit read access path traversal flaws to retrieve interesting files from the server that may contain directly useful information or that help you refine attacks against other vulnerabilities. If you find a path traversal vulnerability that grants write access, your main goal should be to exploit this to achieve arbitrary execution of commands on the server.
Preventing Path Traversal Vulnerabilities
The application should check whether user input contains either of the path traversal sequences (using backslashes or forward slashes) or any null bytes. If so, the application should stop processing the request. It should not attempt to perform any sanitization on the malicious fi lename.
The application should use a hard-coded list of permissible file types and reject any request for a different type.
The application can mitigate the impact of most exploitable path traversal vulnerabilities by using a chrooted environment to access the directory containing the files to be accessed. In this situation, the chrooted directory is treated as if it is the filesystem root, and any redundant traversal sequences that attempt to step up above it are ignored. Chrooted filesystems are supported natively on most UNIX-based platforms.
A similar effect can be achieved on Windows platforms by mounting the relevant start directory as a new logical drive and using the associated drive letter to access its contents.
The application should integrate its defenses against path traversal attacks with its logging and alerting mechanisms. Whenever a request is received that contains path traversal sequences, this indicates likely malicious intent on the user’s part. The application should log the request as an attempted security breach, terminate the user’s session, and, if applicable, suspend the user’s account and generate an alert to an administrator.