A path traversal vulnerability, also known as a directory traversal vulnerability, is a security flaw that allows attackers to access files and directories they should not be able to reach. These vulnerabilities typically occur in web applications but can affect any software that handles file paths. Since 2014, path traversal vulnerabilities have accounted for roughly 5% of all new CVEs every year and comprise approximately 5% of CISA’s known exploited vulnerabilities catalog. CISA and the FBI published a Secure by Design Alert about them in May 2024, due to how widely abused they are by criminals.

How Path Traversal Works

Path traversal vulnerabilities exploit the fact that a file on a website has two addresses: a private location on a computer file system and a public URL used to access the file via HTTP. When a user requests a file using the public URL, the web server software maps the public address to the private file system location and retrieves the file.

For example, a website might offer a file called report.pdf with a public URL like https://www.example.com/?file=report.pdf, which maps to the file report.pdf in the directory /var/www/html on a server file system. On a secure website, the web server enforces rules restricting the files and directories a website user can access. However, a path traversal vulnerability allows an attacker to manipulate a public HTTP address to access parts of the private file system they should not be able to reach, typically by using “relative paths” with symbols like ../ which means “go up one level from here”.

An attacker might replace report.pdf in the example URL with a relative path, such as ../../../../etc/passwd:
https://www.example.com/?file=../../../../etc/passwd.
The URL might be URL encoded:
https://www.example.com/?file=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd.
Both of these URLs map to /var/www/html/../../../etc/passwd on the file system, which is interpreted as /etc/passwd, the Unix password file.

Path Traversal Attack Examples

Path traversal attacks are usually HTTP attacks and can come through any HTTP method like GET, POST, or PUT.

Here’s an example of a path traversal attack using a relative file path to download a file via a URL parameter on a vulnerable server:

  • A vulnerable site’s dynamic URL is: https://vulnerablewebsite.com/show.asp?view=homepage.html
  • When a user accesses the URL through a web browser, the server receives a request for the show.asp page, along with the parameter: view=homepage.html.
  • If the user provides the file name ‘document.pdf’ in their supplied URL, the website downloads the PDF to the user’s computer. The URL in question would be: https://www.vulnerablewebsite.com/download_file.php?file=document.pdf.
  • If the web server is hosted on a Linux system, the web server’s files would typically be located in /var/www – two directories above the root directory. The attacker can attempt to break out of the webroot directory and access the /etc/passwd file by submitting the following URL to the server: https://www.vulnerablewebsite.com/download_file.php?file=../../etc/passwd.

Because the application does not sanitize inputs, it uses the attacker’s string directly in a system call, changes the current directory to the root folder, and allows the attacker to access the /etc/ directory to access the sensitive passwd file. Note that the same attack can be perpetrated on a Windows server using .. instead of ../.

Here’s an example of an absolute file path attack:

  • Suppose the following URL is vulnerable to path traversal attacks: http://vulnerablewebsite.com/get.asp?f=test
  • It would be vulnerable because it allows file access using the HTTP parameter: f (?f=).
  • An attacker could use the following URL to access the passwd file: http://www.vulnerablewebsite.com/?template=../../../../etc/passwd
  • The web server would then perform the following system call, loading the passwd file instead of the design template: include(“../templates/../../etc/passwd”);
  • The ../ operator points to the current folder’s parent folder on Unix systems. By combining multiple ../ operators in the file path, an attacker could navigate out of the server’s webroot directory (/var/www/) and gain access to the /etc directory, which is not meant to be accessible over the internet.

Potential Consequences

Path traversal vulnerabilities can be used to access confidential data, such as credentials, and in some cases, they can even be used to run arbitrary code, potentially leading to a complete takeover of the target.
An attacker might be able to upload or create files to/ on the server, modify application or behavior data, and ultimately take control of the server.

How to Prevent Path Traversal Vulnerabilities

To prevent path traversal attacks, it is crucial to sanitize user inputs and validate file paths. Here are some techniques to prevent path traversal attacks:

  • Input Validation: Ensure that user-supplied file paths are validated to prevent malicious manipulation.
  • Relative Path Checking: Implement checks to prevent the use of relative paths in user input.
  • File Extension Validation: Validate file extensions to ensure that only authorized files can be accessed.
  • Principle of Least Privilege: Apply the principle of least privilege to limit access to only necessary files and directories.
  • Web Server Configuration: Properly configure the web server to restrict access to sensitive files and directories.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *