Today, we live in a world full of web applications and online services. As it grows excessively day by day, security is sometimes neglected and this is a great opportunity for the malicious to take advantage of. Directory traversal is one of the vulnerabilities which potentially impose severe damage on a server where those applications were being hosted, thus exposing the sensitive information as a gateway to wreak havoc on the entire system.
What is directory traversal?
Directory traversal (a.k.a. path traversal) is a type of vulnerability that allows the attacker to access a sensitive filesystem or directory that is outside the scope of the intended web application. The attack takes advantage of the vulnerability in a parameter that is not implementing proper user input validation.
Exploiting directory traversal vulnerability
Directory traversal attack works based on how the website is structured. One of the most common cases is querying for /etc/passwd file as this file contains the details of users that are registered on the current server that works especially on Unix-like operating systems. On Windows systems, this is quite different as the attacker may want to target \windows\win.ini which is equivalent.
Assuming that the attacker is targeting Linux and the image tag is vulnerable,
here is how the attacker can do it.
Example of vulnerable tag:
<img src=”/img?filename=scenery.png” />
Reading arbitrary file (no defense)
In a website with no defense against the attack, the attacker can easily send a request to the server for certain file system information. In Linux, the web server by default resides on /var/www/html. As we are going to deal with the image, we are assuming the scenery.jpg is located inside the /var/www/image. It’s important to know that /var is located on the same level as /etc.
Thus, to reach the /etc/passwd from our current directory, we can go up three levels and then go into the /etc/passwd. We can use this .. to go up one level. By this logic, we can reach the file we want by using ../../../etc/passwd.
Therefore, you can use this.
<img src=”/img?file=../../../etc/passwd” />
Reading arbitrary file with implemented defense
Unfortunately, this does not always work. There are times when the web developers have implemented some kind of defenses. However, the attacker may still be able to attack.
Absolute path traversal
The above parameter may also require you to include the absolute path to
bypass.
Assuming that the vulnerable tag would be like this.:
<img src=”/img?file=/var/www/image/scenery.png” />
The following payload may also work assuming that the parameter requires an absolute path.
<img src=”/img?file=/etc/passwd” />
Stripped sequences
The developer could also implement sanitization code by stripping the directory traversal sequence in order to prohibit users from using the particular characters directly. Otherwise, the encoding or double encoding method could probably work such as %2e%2e%2f or %252e%252e%252f. Alternatively, using the percent encoding like ..%c0%af or ..%ef%bc%8f may also do the work.
Null Byte
In some cases, the file extension is important. Let’s use this as an example.
<img src=”/img?file=scenery.png” />
You probably have tried using <img src=”/img?filename=/etc/passwd” /> but
somehow, it doesn’t work. Perhaps, it expects the extension .png to exist. You
can use the null byte injection to solve this.
What is null byte injection? Null byte injection is the exploitation technique to alter the intended logic of application by inserting null byte character (e.g )%00 to the user input. You can try something like this.
<img src=”/img?file=../../../etc/passwd%00.png” />
Instead of reading the whole thing, the application will not read the filename
extension as it terminates the string prematurely after the null byte
character is declared. As the result, the .png extension is ignored.
Directory traversal vulnerability prevention
Validation and Sanitization
Just like most of the security flaws, this vulnerability could exist for the reason that the web developer is not implementing proper validation and sanitization for user input. To address the issue the web developer can whitelist the only permitted values such as only allowing alphanumeric characters. By doing this, only alphanumeric characters, including letters (A-Z, a-z) and numbers (0-9), are allowed. Otherwise, it will be considered invalid.
Use canonical path
After sanitizing the input, the developer can force user input to obtain the file canonical path. By doing so, any relative paths that are entered by the user can always be resolved to their absolute paths.
At the same time, any redundant symbols need to be stripped. By filtering it with if-else logic, only valid paths within the intended directory are allowed. Otherwise, it won’t be processed and returns nothing.
Access Control Lists (ACL)
Access Control Lists (ACL) can be used to restrict access to files and directories outside the web server directory. ACL enables administrators to define which users or groups are allowed to access, modify or execute which files or directories on the server.
For example, in Unix-like machines such as Linux, the root folder for the web server resides by default to /var/www/html. By setting appropriate ACLs, administrators can enforce a more granular level of access control and help prevent unauthorized access or modification of files and directories on the web server. Thus preventing the public from accessing anything outside this scope.
Conclusion
At first, the directory traversal vulnerability may seem innocuous. Despite not being directly harmful, it can be leveraged as a stepping stone for attackers to gain access to sensitive information and compromise systems. Hence, both web developers and system administrators should go hand in hand to secure the systems and protect against the attack. Implementing any security measures such as user input validation, file path restriction with canonical path, and proper access control should help reduce the risk of the malicious actor compromising the system even further.