Path Traversal refers to the failure of an application to whitelist validate inputs that refer to file names, allowing a malicious user to reference files that would be outside the scope of the designer’s intentions.
Path Traversal is sometimes lumped together in a larger class of web-application vulnerabilities called “Direct Object References”, because it is a specific sub-type in which the “object” is a filename or filepath.
Path Traversal Example
Consider an application that prompts the user to choose a file from a drop-down list and then displays the contents of the selected file. :
Presumably, the list of choices has been generated by the application and properly reflects the scope of the application and user’s role. We could further expect that when the end-user submits the form, the selected file is communicated to the server as a Form parameter. For our purposes here, let’s assume it is called “theFile”.
Let’s assume that using a web-proxy, we intercept and replace the value of the “theFile” with something other than its current value, for fun we change it to “../../../../../../../../etc/passwd”. We submit the request and the response comes back with the contents of the Linux server’s password file.
This is the essence of Path Traversal vulnerability, the ability of an attacker to craft a malicious filename that accesses or exposes information beyond the designer’s intent. In our example, we exploited the applications failure to perform input validation and provided a path that included many symbolic references (“..”) to the parent directory. Since it is not possible to go above the “root” directory, the arbitrary number of leading “..” references is sufficient to provide a meaningful relative reference to the location of every Unix/Linux password file.
Path Traversal vulnerabilities can result in serious breaches of information security.
For insight into how to detect Path Traversal vulnerabilities in applications, please see the article entitled: “How To Test For Path Traversal“.
For insight into avoiding and fixing Path Traversal vulnerabilities in applications, please see the article entitled: “How To Prevent Path Traversal“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.