DIRECTORY TRAVERSAL

What is a Directory Traversal attack?


Directory traversal or Path Traversal is an HTTP attack which allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Access Control Lists (ACLs)

An Access Control List is used by administrators to manage who has control over what. who will able to access, modify or execute particular files on the server, as well as other access rights.

Root directory

The root directory is a specific directory & users are not able to access anything above this root. For example: the default root directory of IIS on Windows is C:\Inetpub\wwwroot and with this setup, a user does not have access to C:\Windows but has access to C:\Inetpub\wwwroot\news and any other directories and files under the root directory.

The root directory prevents users from accessing any files on the server such as C:\WINDOWS/system32/win.ini on Windows platforms and the /etc/passwd file on Linux/UNIX platforms.

This vulnerability can exist either in the web server software itself or in the web application code.

In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system.

Directory Traversal In Web Application Code


In web applications with dynamic pages, input is usually received from browsers through GET or POST request methods. Here is an example of an HTTP GET request URL

GET http://test.webarticles.com/show.asp?view=oldarchive.html HTTP/1.1
Host: test.webarticles.com

  1. Browser requests the dynamic page show.asp 
  2. With parameter value of oldarchive.html. 
  3. Show.asp retrieves oldarchive.html from the server’s file system, 
  4. Renders it and then sends it back to the browser 

The attacker would assume that show.asp can retrieve files from the file system and sends the following custom URL.

GET http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini HTTP/1.1
Host: test.webarticles.com

This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user.

The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.

Directory Traversal In Web Server


A URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be

GET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ HTTP/1.1
Host: server.com

The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command dir c:\ in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c represents the character \.
https://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini

This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user.

Tools


Countermeasures

Filter Meta Characters
Patch System

No comments:

Post a Comment

Popular Posts