PATH

TRAVERSAL
by : Yahia ahmad
 Course outline :

• What is path traversal

vulnerability ??

• How do we find it ??

• How do we exploit the

vulnerability ??

• How do we prevent it ??
 What is path traversal
vulnerability ??

Path traversal vulnerability

(( directory traversal vulnerability)):
is a vulnerability that allows an attacker to
read files on the server that is running the
application .

How we get files in the application : you want

to visit a website and you want to see an
image … what the application do is sending a
GET request to the backend server that take
the file name of the image you want to see &
the backend application retrieves the file and
then display it back to you in the browser.
The problem : is that in the URL if the file
name is user controllable because its coming
from the client side and if its not validated
in any way in the backend server then you can
view any file on the system not just images
and that’s the big issue with This
vulnerability, after that the attacker will
edit on the backend code & see the files on
the system …. Therefore, this vulnerability
is considered one of the vulnerabilities that
is easy to exploit and makes a big threat to
the system.
Example :
GET /vulnerable.php HTTP/1.0
Cookie: TheFielName=../../../../../etc/passwd

Note : ../../../../ means that you are adding

a directory traversal payload in order to
exploit a vulnerability which means that you
are moving up a directory until we reach the
root directory and calling the files we want.
 The impact of Path traversal on CIA triad

When there is a vulnerability on the system

that gives an impact we should measure it in
terms of how it impacts the CIA triad.

Confidentiality : allows you to read files on

the system .

Integrity : some cases allow you to run

commands and therefore alter files on the
system .

Availability : some cases allow you to run

commands and therefore delete files on the
system .
important Note : if the Path traversal
vulnerability allows you to run commands, then
you can get full code execution on the server
finding Path traversal vulnerability

depends on the perspective of testing:

Black box testing : the tester is given a

little to know information about the system
the only info is the scope of engagement & the
URL of the application .

white box testing : giving complete access to

the system including access to the source code
of the application .
 black box testing
• Map the application.

• Identify all instances where the web

application appears to contain the name
of a file or directory .

• Identify all functions in the application

whose implementation is likely to involve
retrieval of data from a server
filesystem .

• Test identified instances with common

Path traversal payloads and observe how
the application responds ,

../../../../etc/passwd
../../.htaccess
\..\..\windows\win.ini
 White-box testing
• Identify instances where user-supplied
input is being passed to file APIs or as
parameters to the OS.
• Identify instances ia a running
application first
((black box perspective))
And then review the code responsible for
what functionality .
• Gerp on functions in the code that are
known to include and evaluate files on
the server and review it they take user
supplied input.
• Use a tool to monitor all filesystem
activity on the server then test each
page of the application by inserting a
single unique string . seta filter
monitoring tool for the specific string
and identify all filesystem events that
contain the string .
Note on the black-box and white box testing :

In the black box testing : we automate

testing using web application vulnerability
scanner(WAVS).

In the white box testing : we validate

potential Path traversal vulnerabilities on a
running application .

Exploiting directory traversal :

• Regular case
../../../../../etc/passwd

..\..\..\..\..\windows\win.ini
 • Absolute paths :

/etc/passwd

• traversal sequences stripped non-

recursively :
. . . .//. . . .//. . . .//etc/passwd

../../../etc/passwd

• Bypass traversal sequence stripped

defense using URL encoding :

%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73
%73%77%64

Or double the encoding

• Bypass start of path validation :

/var/www/images/../../../../etc/passwd

• Bypass file extension validation using

null byte :

../../../etc/passwd%00.png

Means that any thing will come after this

null byte the system should ignore it

Automated exploitation
tools
Web application vulnerability
scanners(WAVS):
 How to prevent Path traversal
vulnerabilities??
1* The best way to prevent Path
traversal vulnerabilities is to avoid
passing user-supplied input to
filesystem APIs.

2* you should but at least 2 layers of

defense to prevent this type of attack
2.1 * validate user input by comparing
it to an allow list of permitted values
, If that’s not possible ensure that
the input only contains alphanumeric
characters.

2.2 * after validating the user

supplied input , use filesystem APIs to
canonicalize the path and verify that
it starts with the expected base
directory .

A JAVA code representation on how to do that:

THE END OF
PATH
TRAVERSAL