Research Report 92091
Research Report 92091
A path traversal or directory traversal attack aims at accessing and reading files
stored outside the tree structure exposed directly by the web service.
It consists of modifying a request’s parameters to navigate the tree structure.
The goal of the attacker is to browse the directories to reach sensitive files to
which access is normally not allowed (configuration files, source code…)
In some situations, the attacker may even have access to unauthorized
functionality, such as writing files on the server. This can lead them to take
control of the server and the vulnerability becomes then an RCE.
This attack is also known as “dot-dot-slash”, “directory traversal”, “directory
climbing” and “backtracking”.
An attacker may use remote code execution to create a web shell on the server,
and use that web shell for website defacement.
File inclusion vulnerabilities come in two types, depending on the origin of the
included file:
– Local File Inclusion (LFI)
– Remote File Inclusion (RFI)
These attacks typically occur when an application uses the path to a file as
input. If the application treats that input as trusted, an attacker can use the local
file in an include statement.
While Local File Inclusion and Remote File Inclusion are very similar, an
attacker using LFI may include only local files.
Differences
Directory traversal and local file inclusion bugs are frequently seen in web
applications. Directory traversal is when a server allows an attacker to read a
file or directories outside of the normal web server directory.
Local file inclusion allows an attacker the ability to include an arbitrary local
file (from the web server) in the web server’s response. Both of these bugs can
be used to read arbitrary files from the server.
In most cases, this means that an attacker can read the /etc/passwd file and the
shell history files in order to find information leaks. However, an attacker can
also use this to read the proc file system. This can provide some interesting
insights into what’s running on the server.
Each process also has its own set of attributes. If you have the PID number and
access to that process, then you can obtain some useful information about it,
such as its environmental variables and any command line options that were
run. Sometimes these include passwords.
Linux also has a special proc directory called self which can be used to query
information about the current process without having to know it’s PID
The impact of this flaw is generally critical. Indeed, depending on the context,
the attacker might be able:
The impact of file inclusion vulnerabilities may vary. These may include:
• Information disclosure
• Remote code execution
• Cross-site scripting
• Denial of Service
• System compromise, etc
In almost every web application there is functionality for uploading files. This
file may be in form of text, video, image, etc. However, many web applications
do not have proper security check during uploading files and this results in a
vulnerability called File Upload Vulnerability. This one simple vulnerability
leads to server-side scripting, arbitrary code execution, cross-site scripting, and
CSRF attacks.
The impact of file upload vulnerabilities
As with many other vulnerability classes, there is no single answer to what file
upload vulnerabilities can do to a target system.
▪ Remote Code Execution: The most harmful outcome. If the web server
configuration allows, an attacker can try to e.g. upload a web shell which
enables him to pass on terminal commands to the server running the
application. These commands can then be easily sent to the server via the
browser.
▪ Denial of Service: If the application code is not validating file size or the
number of files uploaded, an attacker could try to fill up the server’s
storage capacity until a point is reached, where the application cannot be
used anymore.
https://blog.intigriti.com/
https://www.vaadata.com/
https://brightsec.com/
https://beaglesecurity.com/