Imagine your house is full of rooms with various doors, some leading to secure areas like your personal office or a safe room. Now, what if someone knew a trick to bypass the usual routes and access these rooms directly, stealing or tampering with your valuables, such as your 419-karat gold chain, expensive perfume, or even your vintage Kolo box. This is essentially what happens in a path traversal attack.
Path traversal, also known as directory traversal, is a type of vulnerability found in web applications. It allows attackers to access files and directories stored outside the web root folder, which they typically shouldn't be able to reach, that's for the chefs, a.k.a Backend Engineers. These files can contain sensitive information like application code, user data, credentials, and even system files, which can be exploited to gain further control over the server.
Say there's a web application, a sinister yahooyahoo online shopping store used to trade illegally, much like Darkmarket, with its name actually being yahooyahoo! Dumb I know, had to do with something about hiding in plain sight by the admin who's now in jail :).
The application loads an image using a URL like this:
<img src="/loadImage?filename=218.png">
In the backend, the server processes this request by appending the filename to a base directory:
/var/www/images/218.png
However, if there are no defenses against path traversal, an attacker; in this case EFCC, can manipulate the filename parameter to access other files on the server such as account info of the users.
For instance, they might try:
https://yahooyahoo.com/loadImage?filename=../../../etc/passwd
This request instructs the server to load a file by stepping up three directory levels from the base path and then accessing the /etc/passwd
file, a critical system file on Unix-like systems.
The server constructs the path like this:
/var/www/images/../../../etc/passwd
The ../
sequence moves up one directory level. So, the path resolves to:
/etc/passwd
../
SequenceWhen you hear of Sequence in Web-Sec, just think of Navigation.
Think of ../
as a way to go up one level in a directory structure, like climbing a ladder to the floor above:
../
takes you one level up.../../
takes you two levels up.../../../
takes you three levels up, and so on.In a computer file system:
/home/user/documents/projects
, ../
takes you to /home/user/documents
.../../
would take you to /home/user
.../../../
brings you to /home
.To better understand this:
Imagine you're in a large hotel, Hotel 3FCC. You start in room 419 (4th floor, 19th room). Using ../
:
../
means stepping out into the hallway (up one level in directory terms).../../
means taking the elevator down to the 3rd floor.../../../
means going down to the 2nd floor.Hotel:
---------------------
(Floors)
|
|
+---------------------------------------------+
| 1st Floor | 2nd Floor | 3rd Floor | 4th Floor |
| | | | |
+-------------+-------------+-------------+-------------+
| | Room 219 | | Room 419 |
| | | | (Your Room)|
| +-------------+ +-------------+
| | Room 220 | | Room 420 |
| | | | |
+-------------+-------------+-------------+-------------+
| | Room 319 | | |
| | | | |
| +-------------+ +-------------+
| | Room 320 | | |
| | | | |
+-------------+-------------+-------------+-------------+
Initial Position: Room 419 on the 4th Floor
Current Path: /home/user/documents/projects
Hotel Analogy: You are in Room 419 on the 4th Floor
+---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (You) | | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+
Step 1: Using ../
to move up one level to the hallway of the 4th floor
New Path: /home/user/documents
Hotel Analogy: Stepping out into the hallway of the 4th Floor
+---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | | Room 419 | | | | | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+
Step 2: Using ../../
to move up two levels to the 3rd Floor
New Path: /home/user
Hotel Analogy: Taking the elevator down to the 3rd Floor
+---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | (You) | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | Room 319 | Room 419 | | | | (Empty) | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 320 | | | | | | | | | +-------------+ +-------------+ | | | | | +-------------+-------------+-------------+-------------+
Step 3: Using ../../../
to move up three levels to the 2nd Floor
New Path: /home
Hotel Analogy: Taking the elevator down to the 2nd Floor
+---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | (You) | (Empty) | (Hallway) | +-------------+-------------+-------------+-------------+ | | Room 219 | Room 319 | Room 419 | | | | (Empty) | (Empty) | | +-------------+ +-------------+ | | Room 220 | Room 320 | Room 420 | | | | | | +-------------+-------------+-------------+-------------+
To prevent these attacks, many applications strip out directory traversal sequences from user input. But clever attackers often find ways to bypass these defenses.
For instance, they might use an absolute path directly from the root:
filename=/etc/passwd
Or, they might use nested traversal sequences like ....//
, which, after stripping, still leaves a valid traversal sequence:
https://yahooyahoo.com/loadImage?filename=....//etc/passwd
Here’s how nested sequences work:
....//etc/passwd
../
: The sequence ....//
reverts to ../
/var/www/images/../etc/passwd
/etc/passwd
Another trick involves URL encoding (I'll be writing an article on URL encoding soon), where characters like ../
are represented in encoded forms (%2e%2e%2f
). For example:
filename=%2e%2e%2f%2e%2e%2fetc/passwd
This can trick the application into processing it as valid input.
To defend against path traversal:
In 2017, a critical vulnerability was discovered in Apache Struts, a popular open-source web application framework. The vulnerability (CVE-2017-5638) allowed attackers to exploit path traversal to read and execute arbitrary files on the server. This was part of the attack vector used in the massive Equifax data breach, which exposed personal information of over 147 million people. Attackers leveraged the vulnerability to execute remote code, gaining access to sensitive data.
In 2018, a path traversal vulnerability (CVE-2018-13379) was discovered in Fortinet's FortiOS SSL VPN web portal. The flaw allowed unauthenticated attackers to download system files via specially crafted HTTP resource requests. By exploiting this, attackers could access sensitive information such as password files and VPN session details, compromising the security of the entire network.
Magento, a popular eCommerce platform, has been subject to multiple path traversal vulnerabilities over the years. One such vulnerability allowed attackers to exploit the file upload mechanism to upload malicious files by bypassing directory restrictions. This could lead to remote code execution, enabling attackers to take over the web server and access sensitive customer information and payment data.
In 2012, a significant path traversal vulnerability was found in the Nokia Store app. The issue allowed attackers to download arbitrary files from the server. By manipulating the URL parameters, attackers could access restricted directories and sensitive files, potentially exposing user data and internal configurations.
In 2020, a path traversal vulnerability was identified in Rubygems.org, the Ruby community’s gem hosting service. The vulnerability (CVE-2020-25613) allowed attackers to manipulate file paths and download arbitrary files from the server. This posed a significant risk as it could potentially expose sensitive configuration files and credentials stored on the server.
Cisco's Adaptive Security Appliance (ASA) software was found to have a critical path traversal vulnerability (CVE-2018-0296) in 2018. This allowed unauthenticated attackers to send crafted HTTP requests to gain access to sensitive system files. Exploiting this flaw, attackers could obtain information about the device configuration, potentially aiding in further attacks against the network.
In 2020, a path traversal vulnerability (CVE-2020-10546) was discovered in GitHub Enterprise Server. This vulnerability allowed attackers to access arbitrary files on the server by manipulating URL paths. Exploiting this, an attacker could gain access to sensitive information such as repository files and configuration data, posing a significant security risk to the affected enterprises.
Many WordPress plugins have been found vulnerable to path traversal attacks. For instance, the popular plugin "Duplicate Page" had a path traversal vulnerability that allowed attackers to read arbitrary files from the server. Such vulnerabilities in widely used plugins pose significant risks as they can affect a large number of websites, potentially exposing sensitive data and enabling further attacks.
I'm not supposed to be writing an article telling you this (lol), but sometimes the most secure doors have hidden keys – and in the world of web security, path traversal is one key you definitely don't want falling into the wrong hands.
Path traversal vulnerabilities extend beyond what I have shown here but see this as a starting point, a good magician never reveals his secrets :).
Path traversal vulnerabilities are like hidden passages in a fortress, allowing attackers to slip through defenses and wreak havoc. By understanding how these attacks work and implementing defenses, we can better protect our digital fortresses from unauthorized access. Always validate and sanitize user inputs, and regularly, I mean regularly review your code and server configurations to close off any potential exploits.
Mischief Managed.
Resources:
Portswigger (Web Security Academy)
Wikipedia