Directory Traversal

Directory traversal allows an attacker to access files outside the Webroot folder through an HTTP communication. An attacker can get access to sensitive information and can execute arbitrary codes on the server. Usually, every web server implements security in 2 levels:-

  • Access Control Lists: The access control list is used to give access, modify or execute arbitrary files on the server. The list consists of the users or group with their permission list.
  • Root directory restriction: Under this restriction, the users are not allowed to access any files outside the Webroot. Directory traversal attack is also called ../ (dot dot slash) attack, directory climbing or backtracking attack. The cause of directory traversal attack might be due to a flaw in the code.

If an attacker successfully exploits a server using a directory traversal attack, he will be able to access sensitive files outside the server. The attacker could access files like passwd to get the username and passwords all the users int he application. A successful directory traversal attack can have enormous consequences from loss of sensitive information to total server takeover.

Example

If the following URL works, then the website is vulnerable to directory traversal attack.

        http://example.beagleexample.com/getUserProfile.jsp?item=../../../../etc/passwd

    

The above URL will give the attacker the access to the passwords on the server.

Impact

Using this vulnerability, an attacker can:-

  • input malicious files into the server causing File inclusion attack.
  • steal sensitive information from the server.

Mitigation / Precaution

Beagle recommends the following:-

  • Sanitise the user inputs from the application.
  • Set privileges to the API in such a way that it allows inclusion of files from one allowed directory only.
  • Implement blacklisting of all the special characters that are not used in the file names.

Latest Articles