Directory traversal

What is it?

Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to read files on the victim’s system by manipulating file paths used in the application.

A simple example:

A vulnerable web application may have the endpoint /get_file?path={filepath} When a request is made, the application returns the content of the specified file. If an attacker inserts a path into {filepath} such as ../../../etc/passwd, they might get access to the system files. The application then fetches this file, and if the file contents are sent in the response, the attacker can view sensitive system information.

Remember that a payload or attack may change depending on the application and the server's file system. Directory Traversal can often lead to:

• Sensitive data exposure

• System information disclosure

Other learning resources:

PortSwigger: https://portswigger.net/web-security/file-path-traversal

Checklist

• What is the technology stack you're attacking?

• What application/framework is being used?

• Is it PHP, Java, Python, .NET, etc?

• Verify injection points

  • URL parameters

  • Form fields

  • HTTP headers (e.g. cookies, etc)

• Check if you can traverse to directories outside of the webroot:

  • ../../../../etc/passwd

  • ../../../../Windows/System32/config/SAM (Windows)

• Is there a blocklist?

• Is there a filter?

• Is the filter recursive?

• Is the filter on single characters or sets? (e.g. / vs ../)

• Can you bypass the blocklist?

• Is a specific extension required?

• Can you read a sensitive file with allowed extensions?

• Can you bypass with:

  • Null byte? %00

  • Encoding

  • Double encoding

  • URL encoding

  • Unicode encoding

• Test for log exposure

• Can you read log files?

• Other unexpected bypasses ../../ in the middle of the path

Exploitation

Basic directory traversal

../../../../etc/passwd

Reading application's own configuration files

../../webapp/config/database.ini

Log exposure

../../../../var/log/apache2/access.log

Non-recursive filter bypass

..././..././..././..././..././..././etc/passwd

Tools

GitHub - wireghoul/dotdotpwn: DotDotPwn - The Directory Traversal FuzzerGitHub