Path Traversal, also known as Directory Climbing and Directory Traversal, involves the exploitation of sensitive information stored insecurely on web servers. This vulnerability is constantly showing up in globally-recognized vulnerability references such as the SANS 25 Top 25 Most Dangerous Software Errors and OWASP Top-10.
There are two primary security mechanisms available today in web servers:
Access Control Lists (ACLs) – These are basically whitelists that the web server’s administrator uses to monitor access permissions. These lists are used in the authorization process. Only users with permissions can access, modify or share sensitive files and information.
Root Directory – This directory is located in the server file system and users simply can’t access sensitive files above this root. One such example is the sensitive cmd.exe file on Windows platforms, which rests in the root directory that not everyone can access.
Path Traversals are made possible when access to web content is not properly controlled and the web server is compromised. This is basically an HTTP exploit that gives malicious attackers unauthorized access to restricted directories. They are eventually able to manipulate the web server and execute malicious commands outside its root directory/folder.
These attacks are usually executed with the help of injections such as Resource Injections, typically executed with the help of crawlers. The attack usually involves the following steps:
- The user/victim enters input into the application
- The user input is used to access a specific file (to read, write or send it)
- The attacker uses resource identifiers to manipulate the vulnerable application
- Parameters such as file names and port numbers are altered to initiate the attack
- The vulnerable application is basically tricked into granting access to the sensitive file/s even when the attacker doesn’t have the required permissions
- The attacker can then overwrite/modify files and even send them to third-party servers
The following URLs show how the application deals with the resources in use:
In these examples it may be possible to insert a malicious string as the variable parameter to access files located outside the web publish directory.
http://some_site.com.br/get-files?file=…/…/…/…/some dir/some file
http://some_site.com.br/…/…/…/…/some dir/some file
The following URLs show examples of UNIX/Linux password file exploitation.
Important: In a windows system the malicious attacker can navigate only in a partition that locates web root while in the Linux he can navigate/access the whole disk.
Ways of mitigating the risk of Path Traversal include:
- Validate the user’s input. Accept only valid values (whitelist).
- Remove “…\” and “…/” from any input that’s used in a file context.
- Use indexes instead of actual portions of file names while using language files. (i.e – value 5 from the user submission = Indian, rather than expecting the user to return “Indian”).
- Implement strict code access policies to restrict where files can be saved to.
- Ensure the user cannot supply any part of the path to the file read or written to.
- UNIX system administrators are advised to use chrooted jails and code access policies to restrict where the files can be obtained or saved.
- Configure the default installation of the server software as per the requirements. The servers should also be maintained and patched with the latest updates.
CxSAST detects data flows that are vulnerable to Path Traversal by following all user input that is used in a file creation or file reading context. If the input is not validated or sanitized (this being “…\” or “…/”) before being used, CxSAST determines this path as vulnerable to Path Traversal. The developers can then implement the aforementioned remediation techniques.