File/Directory traversal Attack

on

File/Directory traversal Attack

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.These files may have below mentioned details:
     Passwords     configuration files     sensitive codes     sensitive data etc.

Attacker can read any file available on the server by putting some very intelligent bypassing techniques.

Why It Happens? 

When an application accepts user input without sanitizing and ask application API to connect with the file system of server and process it.

For example : - If application is loading various text/pdf/image type files according to user's requirement and there is no senitisation/validation in place then there might be a chance of file traversal attack.


<img src="/loadImage?filename=abc.jpeg">

above function is used by application to load an image file. (This image file is getting loaded directly from server's file system)


If we check the URL for same image "abc.jpeg", which will look like:

https://www.imageshome.com/loadImage?filename=abc.jpeg

URL will show this image which is directly being fetched from server's file system.


passwd file for linux and boot.ini file for windows are sensitive files which could be retrieved during file traversal attack as follows



https://www.imageshome.com/loadImage?filename=../../../../etc/passwd

In above URL there are two things to understand
1. ../../../../ = these slashes used to jump the directory to root directory.
2. /etc/passwd = this location is present is Linux machines, where /etc is a directory and passwd is a passwd file (holds username and encrypted passwords)



so now we have various techniques mentioned below which can bypass some validations and help users to read files on the server.

https://www.imageshome.com/loadImage?filename=....//....//....//....//etc/passwd
https://www.imageshome.com/loadImage?filename=..\..\..\windows\win.ini
https://www.imageshome.com/loadImage?filename=var/www/images/../../../../etc/passwd
https://www.imageshome.com/loadImage?filename=etc/passwd
https://www.imageshome.com/loadImage?filename=../../../../../../etc/passwd
https://www.imageshome.com/loadImage?filename=../../../../../../etc/passwd.png

You can always URL encode the forward slashes and ..



Comments

Post a Comment