Directory Traversal

source: Internet security Tips

WHAT IS DIRECTORY TRAVERSAL?

Directory traversal or some say “path traversal” is a type of web security vulnerability, which if exploited by the attacker/hacker can result in the information leakage of the arbitrary files on the server which is handling the application.

This leaked information may include the application code data, sensitive info like credentials, username, or operating system-related files. If the attack is persistent then the attacker can write data in the application which can result in compromising the system.

So let’s have a peek at how all this begins. Consider any website of your choice that display images, to load these images in the backend some HTML code is running which looks something like this

<img src="/image?filename=1.png">

So what’s happening here is that the ‘image’ URL is taking the ‘filename’ parameter and returns the content of the specified file. By default, the images are themselves stored in the ‘/var/www/html’ location for the Linux system. To get the specified ‘1.png’ image the application will append the requested filename into the base directory using a filesystem API. So for the above specified eg. the file path would be :

/var/www/html/1.png

The question is how the above-specified path is vulnerable to Directory Traversal, if we look carefully we can find that there is no sanitization to check the path given by the user, so a malicious user can request for an arbitrary path, for eg.

https://www.example.com/image?filename=../../../etc/passwd

This will cause the application to read files from the /etc/passwd path as ‘../’ will take it one step back from the present directory and it is valid in the filesystem path. In Linux systems /etc/passwd contains the details of the user that are registered in the system. The same attack can be performed with windows based system also (../ and ..\) both are allowed, the equivalent file can be found at ‘\windows\win.ini’ path.

POSSIBLE WAYS TO EXPLOIT

There are various kinds of filters or sanitization techniques used to evade the threat of the directory traversal, but the loopholes in their implementations make them vulnerable. Some of which we are going to discuss in the next section.

1. If an application directly passing the user-supplied filename values into the application then it is possible to bypass the defense mechanism, we can directly pass the value “/etc/passwd” (absolute path) to traverse the file content.
2. If there is a defense tactic that will filter out the sequence character such as (‘../’) to block the unwanted traversing, then it can be simply bypassed by using a nested traversal sequence, such as (….//….//….//etc/passwd). When it is implemented in API the inner character will be filtered out and the remaining will run hence bypass the filter sequence of character.
3. However, if the application has an input filter mechanism then it will block the (‘../’) character and the above-described way won’t work. But various non-standard encodings can work if the filtering mechanism doesn’t check the encoded character. For eg., if an attacker uses the Unicode encoding (..%c0%af or ..%252f), then it will easily bypass the filter as these encoded characters will act in the same way as ‘../’.
4. Many application brings the defensive features where the user-supplied filename should start with expected base folder (eg. /var/www/html), it is very easy to detour as an attacker can simply pass the path as (filename=/var/www/html/../../../etc/passwd).
5. Opposite to the above-defined if an application wants that the filename should end with the expected file extension (eg. “.png”, “.jpeg”). Then by using the null byte it becomes very easy, as the null byte will effectively terminate the file path before the extension for eg (filename=../../../etc/passwd%00.png).

PREVENTION METHODS

The most effective and best possible method is to avoid passing the user-supplied input values altogether into the API, this can be done by rewriting some functions to pass the values more safely.

For a scenario where it is unavoidable to pass the values then some precaution steps can be taken.

1. Firstly the application should validate the user input before processing, this can be done by simply checking it against a whitelist of permitted values.
2. For some reason, if the validation can’t be performed then it should verify that the input contains only the permitted content.
3. After validating the application should append the user-defined values into the base directory and then uses the filesystem API to canonicalize (standardize or normalize) the path. It should be then checked that the canonicalized path is the same as the base directory.