If you are not already familiar with what a Path Traversal vulnerability is, we suggest that you review the article entitled: “What Is Path Traversal ?“.
Detecting Path Traversal
Detecting Path Traversal is quite straightforward and simply entails providing malicious Path Traversal payloads to the application and looking for anomalies in the responses. Tools such as Burp Suite, and OWASP ZAP can automate large portions of testing activities are indispensable when working with large applications. These tools facilitate the task of providing malicious Path Traversal payloads as inputs to the application, AND in distinguishing interesting results within the set of responses.
Generally speaking, the ability to specify filepath characters such as { :, .., /, \ } within file-related inputs is a hint that the application may be vulnerable to Path Traversal. Watch for unusual application behavior in response to such characters and malicious filepaths. Note that fingerprinting the OS of the application server is useful, as that will allow you to narrow your payloads down to those appropriate for the target operating system.
Simple payloads like the one in our example (adjusted for the target OS) can be useful for manual testing.
We suggest that you do an internet search for Path Traversal Cheatsheet to find specific payloads, but believe you will find it more productive to use an automated tool.
If you DO discover a Path Traversal vulnerability, then the game changes into “what can I access?”. A good reference of where important files live can be found here and here. Note that the account being used by the application will typically require read permission on each file that you target.
Path Traversal vulnerabilities can lead to serious breaches of confidentiality and are not to be taken lightly. It is advisable to test your application thoroughly to detect any potential problems.
For insight into avoiding and fixing Path Traversal vulnerabilities, please see the article entitled: “How To Prevent Path Traversal“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.