Directory traversal is an HTTP exploit which allows attackers to access restricted directories and file. It also known as path traversal. Directory traversal attack can bypass security mechanisms and access direcotries and file stored outside of the web root directory.
There are two security mechanisms that web servers use to restrict user access:
- Root directory : User access is confined to the root directory, meaning users are unable to access directories or files outside of the root.
- Access Control Lists (ACL): Define user access rights and privileges for viewing, modifying and executing files.
What an attacker can do
With a directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system.
This might give the attacker the ability to view restricted files
Allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system.
Directory Traversal attack
The first step we need analyzing the input field can send data to server. This also includes: HTTP GET, POST parameter, HTMl form, header values…
1. Read file and list directory
2. Run command on windows
The request URL above execute command **dir+c:** and return list all files in c:\
%5c in the URL request is a web server escape code which is used to represent normal characters.
Example: consider following URL:
Request URL above read all file from document folder, this function maybe have directory traversal vuln.
Then lets check with parameter directory=../../../../../../../ read directory from root directory. If server response with list directory of root, then directory traversal vulnerability occurred. Then we can read all directory from server. If server use some function read file, then we can read all file’s content from server.
Directory Traversal Prevention
Ensure you have installed the latest version of your web server software, and sure that all patches have been applied.
Effectively filter any user input. Ideally remove everything but the known good data and filter meta characters from the user input. This will ensure that attackers cannot use commands that leave the root directory or violate other access privileges.