- Business Security Articles
- Web Site Security Articles
- Directory Traversal
- Detect Integer Overflow in Web Applications
- Format String Vulnerability
- HTTP PUT Security
- HTTP Response Splitting
- How to Disable Directory Listing on a Web Server
- How to Hide Sensitive Files on Your Web Server
- How to hide X Server Values
- Improper Website Credential Settings
- Avoiding Attacker Supplied URL Vulnerabilities
- Character Set Security
- Cross Site Scripting (XSS) Attacks: Methodology and Prevention
- Data Security with JSON
- Missing or Incorrect Mime Types
- Mixed Content and SSL Security
- Prevent SQL Injection Attacks
- Preventing Cross Site Request Forgery (CSRF)
- Server Details - HTTP Header Information Security
- Server Error Messages
- Shell Injection and Command Injection Attack Vector
- Web Cache Security For Your Website
- XML Injection and XPath Injection
Directory Traversal
Directory Traversal is the ability to move from one directory to another. Web servers typically designate a single subdirectory to be browsable by the public using web browsers, and all the remaining directories to be off limits.
Directory Traversal Attacks
If you were on the server as an authenticated user, you might issue commands to move around the server:
[username:/export/home/user/public_html/] cd .. [username:/export/home/user/]
Directory traversal attacks (also known as dot dot slash attacks) seek to exploit this text command by finding vulnerabilities in program implementation to reach data or files outside of the public web directory.
The oldest way to execute this attack is directly in the web browser URL window itself. If we are browsing in the URL, we could try asking the browser to go to a higher directory.
www.mysite.com/index.html -> maps to /export/home/user/public_html/index.html
we know that a special file, called showSecrets.php is in the non-accessible folder /export/home/user/secrets, so we try to trick the browser into showing this file with the following URL:
www.mysite.com/../secrets/showSecrets.php -> maps to /export/home/user/secrets/showSecrets.php
If your web server does not defend against this kind of attack, it will return the showSecrets.php output!
Another, less well known method, uses data input to ask your application to retrieve those files. Imagine you had some functionality to retrieve files from a specific directory, and displayed a list of those files to users. When a user clicks on the file, you send some data to a new URL to return the file.
URL:
www.mysite.com/getFile?fileName.txt
PHP code to do the retrieval:
<?php $filename=$_GET["getFile"]; //get the filename from the URL $fh = fopen("/export/home/user/public_html/files/".$filename, "R"); //open file for reading echo fread($fh, filesize($filename)); //read and display contents ?>
An attacker may notice this, and modify the URL to request a secret file, similar to what we saw above:
www.mysite.com/getFile?../../secrets/showSecrets.php
The website now displays the secret file contents to the attacker! The file the PHP is opening would look like
/export/home/user/public_html/files/../../secrets/showSecrets.php -> maps to /export/home/user/secrets/showSecrets.php
How Does this Impact my Security?
Directory traversal can be very dangerous, as it exposes private information to the internet. Attackers can use this to download private files, or to further attack your system. Depending on the way files are accessed using this method, attackers may be able to execute processes on your server, download password files, or expose your source code for further analysis.
Preventing Directory Traversal
For browser based attacks (putting ../ into the URL), updating your server software should correct this. Recent web servers, including IIS and Apache, provide protection against this type of directory traversal attack.
Application level directory traversal is harder to spot and prevent. The best defense is strong filtering of user data. This can come from cookie information, form input (POST and GET), the URL, and any other data source which may be influenced by a user. Directory traversals may come in several forms. Be sure to check for at least the following substitutes, or better yet, whitelist all user input.
- ..
- %2e%2e followed by / or %2f
- %c1%1c and similar Unicode strings which may translate to ../
You can also test that the path to the file must be of only an exact length. In the examples given previously, the path to
/export/home/user/public_html/files/
Is exactly 36 characters. Assume anything different from this is invalid.
Additional Resources
Find Insecure Settings on your Webserver
Golem Technologies includes numerous different server setting scans to help you reduce your exposure to attack with thorough security scanning, including application server setup. See how the Golem Scan can help your business today.
