If you are not already familiar with Path Traversal, you may wish to review the article entitled: “What Is Path Traversal ?“.
For insights regarding how to detect Path Traversal vulnerabilities review the article entitled: “How To Test For Path Traversal“.
Preventing Path Traversal
There are several key countermeasures you can implement to prevent Path Traversal vulnerabilities in your applications. Consider one or more of the following tactics as appropriate for your requirements:
- Input Validation
Validate inputs against a whitelist of acceptable values and reject all non-conforming values. Do not accept file and path separator characters if you do not have to.
- Indirect References
Instead of working with file names or paths, an alternative design passes (cryptographicly strong) random codes to designate files. These codes are then mapped to the corresponding file on the server. This effectively limits the selection to the domain presented to the user.
- Least Privilege
The account used by the application should enjoy the minimal privileges necessary with respect to the file system. Ideally, this should be limited to files within the legitimate purview of the application and current user.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.