5
DIRECTORY TRAVERSAL ATTACK What is a Directory Traversal Attack? Properly controlling access to web content is crucial for running a secure web server. Directory traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server’s root directory. Web servers provide two main levels of security mechanisms Access Control Lists (ACLs) Root directory An Access Control List is used in the authorization process. It is a list which the web server’s administrator uses to indicate which users or groups are able to access, modify or execute particular files on the server, as well as other access rights. What an Attacker can do if your Website is Vulnerable With a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even more dangerous, allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system. Depending on how the website access is set up, the attacker will execute commands by impersonating himself as the user which is associated with “the website”. Therefore it all depends on what the website user has been given access to in the system. Example of a Directory Traversal Attack via Web Server Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.

Directory Traversal Attack

Embed Size (px)

Citation preview

DIRECTORY TRAVERSAL ATTACKWhat is a Directory Traversal Attack?Properly controlling access to web content is crucial for running a secure web server. Directory traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web servers root directory.Web servers provide two main levels of security mechanisms Access Control Lists (ACLs) Root directoryAn Access Control List is used in the authorization process. It is a list which the web servers administrator uses to indicate which users or groups are able to access, modify or execute particular files on the server, as well as other access rights.What an Attacker can do if your Website is VulnerableWith a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even more dangerous, allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system.Depending on how the website access is set up, the attacker will execute commands by impersonating himself as the user which is associated with the website. Therefore it all depends on what the website user has been given access to in the system.Example of a Directory Traversal Attack via Web ServerApart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.The vulnerability has been fixed in the latest versions of web server software, but there are web servers online which are still using older versions of IIS and Apache which might be open to directory traversal attacks. Even tough you might be using a web server software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can beGET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ HTTP/1.1Host: server.comThe request would return to the user a list of all files in theC:\directory by executing thecmd.execommand shell file and run the commanddir c:\in the shell. The%5cexpression that is in the URL request is a web server escape code which is used to represent normal characters. In this case%5crepresents the character\.Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute such commands.

URI encoded directory traversal[edit]Canonicalizationproblem.Some web applications scanquery stringfor dangerous characters such as: .. ..\ ../to prevent directory traversal. However, the query string is usually URI decoded before use. Therefore these applications are vulnerable topercent encodeddirectory traversal such as: %2e%2e%2fwhich translates to../ %2e%2e/which translates to../ ..%2fwhich translates to../ %2e%2e%5cwhich translates to..\Unicode / UTF-8 encoded directory traversal[edit]Canonicalizationproblem.UTF-8was noted as a source of vulnerabilities and attack vectors byBruce Schneierand Jeffrey Streifling.[1]When Microsoft addedUnicodesupport to their Web server, a new way of encoding../was introduced into their code, causing their attempts at directory traversal prevention to be circumvented.Multiple percent encodings, such as %c1%1c %c0%aftranslated into/or\characters.Percent encodings were decoded into the corresponding 8-bit characters by Microsoft webserver. This has historically been correct behavior as Windows andDOStraditionally usedcanonical8-bit characters sets based uponASCII.However, the originalUTF-8was not canonical, and several strings were now string encodings translatable into the same string. Microsoft performed the anti-traversal checks without UTF-8canonicalization, and therefore not noticing that (HEX)C0AFand (HEX)2Fwere the same character when doingstringcomparisons. Malformed percent encodings, such as%c0%9vwas also utilized.[2]Zip/archive traversal attacks[edit]The use ofarchive formatslikezipallows for directory traversal attacks: files in the archive can be written such that they overwrite files on the filesystem by backtracking. Code that uncompresses archive files can be written to check that the paths of the files in the archive do not engage in path traversal.Absolute Path TraversalThe following URLs may be vulnerable to this attack:http://testsite.com/get.php?f=listhttp://testsite.com/get.cgi?f=2http://testsite.com/get.asp?f=testAn attacker can execute this attack like this:http://testsite.com/get.php?f=/var/www/html/get.phphttp://testsite.com/get.cgi?f=/var/www/html/admin/get.inchttp://testsite.com/get.asp?f=/etc/passwdWhen the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).

Possible methods to prevent directory traversal[edit]A possible algorithm for preventing directory traversal would be to:1. Process URI requests that do not result in a file request, e.g., executing a hook into user code, before continuing below.2. When a URI request for a file/directory is to be made, build a full path to the file/directory if it exists, and normalize all characters (e.g.,%20 converted to spaces).3. It is assumed that a 'Document Root' fully qualified, normalized, path is known, and this string has a lengthN. Assume that no files outside this directory can be served.4. Ensure that the firstNcharacters of the fully qualified path to the requested file is exactly the same as the 'Document Root'.5. If so, allow the file to be returned.6. If not, return an error, since the request is clearly out of bounds from what the web-server should be allowed to serve.7. Using a hard-coded predefined file extension to suffix the path does not limit the scope of the attack to files of that file extension.


GPU Graph Traversal

GPU Graph Traversal

Documents
Decoupling Dynamic Information Flow Tracking with a ...Evaluation •Security Evaluation Program Lan g. Attack Detected Vulnerability Gzip C Directory traversal Open tainted directory

Decoupling Dynamic Information Flow Tracking with a ...Evaluation •Security Evaluation Program Lan g. Attack Detected Vulnerability Gzip C Directory traversal Open tainted directory

Documents
Tree Traversal #SalesforceSaturday

Tree Traversal #SalesforceSaturday

Technology
CS 1031 Tree Traversal Techniques; Heaps Tree Traversal Concept Tree Traversal Techniques: Preorder, Inorder, Postorder Full Trees Almost Complete Trees

CS 1031 Tree Traversal Techniques; Heaps Tree Traversal Concept Tree Traversal Techniques: Preorder, Inorder, Postorder Full Trees Almost Complete Trees

Documents
Graph Traversal - Sharif

Graph Traversal - Sharif

Documents
1 | Web Attacks Presentación – Web Attack. 2 | Web Attacks Seguridad en Aplicaciones Web Protocolo HTTP Vulnerabilidad XSS Vulnerabilidad CSRF Path Traversal

1 | Web Attacks Presentación – Web Attack. 2 | Web Attacks Seguridad en Aplicaciones Web Protocolo HTTP Vulnerabilidad XSS Vulnerabilidad CSRF Path Traversal

Documents
Introduction to path traversal attack

Introduction to path traversal attack

Technology
Hack%Box%%with%DotDotPwn%Directory%Traversal%Fuzzer% · conducting! tests! with! the! powerfull fuzzer! tool! dotdotpwn! (), finda url!prone!to! Directory!Traversal, which

Hack%Box%%with%DotDotPwn%Directory%Traversal%Fuzzer% · conducting! tests! with! the! powerfull fuzzer! tool! dotdotpwn! (), finda url!prone!to! Directory!Traversal, which

Documents
TACC PROJECT SIGNED - Marek5050’s Blog and Portfoliomarek5050.github.io/static/TACC_PROJECT_SIGNED_FINAL.pdf · reading and writing, and directory traversal. Rmr is responsible

TACC PROJECT SIGNED - Marek5050’s Blog and Portfoliomarek5050.github.io/static/TACC_PROJECT_SIGNED_FINAL.pdf · reading and writing, and directory traversal. Rmr is responsible

Documents
Tree traversal techniques

Tree traversal techniques

Engineering
Traversal Connected Compnents

Traversal Connected Compnents

Documents
Postorder traversal

Postorder traversal

Documents
Ethical Hacking and Countermeasures - The Eye · 2018. 2. 26. · Directory traversal/forceful browsing attack occurs when the attacker is able to browse directories and files outside

Ethical Hacking and Countermeasures - The Eye · 2018. 2. 26. · Directory traversal/forceful browsing attack occurs when the attacker is able to browse directories and files outside

Documents
Linked List: Traversal Insertion Deletion. Linked List Traversal LB

Linked List: Traversal Insertion Deletion. Linked List Traversal LB

Documents
NAT/Firewall Traversal

NAT/Firewall Traversal

Documents
PPSP NAT traversal

PPSP NAT traversal

Documents
Tree Traversal

Tree Traversal

Documents
Presentation tree traversal

Presentation tree traversal

Technology
1 | Web Attacks Documentación – Web Attack. 2 | Web Attacks Seguridad en Aplicaciones Web Protocolo HTTP Vulnerabilidad XSS Vulnerabilidad CSRF Path Traversal

1 | Web Attacks Documentación – Web Attack. 2 | Web Attacks Seguridad en Aplicaciones Web Protocolo HTTP Vulnerabilidad XSS Vulnerabilidad CSRF Path Traversal

Documents
Application Security Testing: A New Approach€¦ · Application Security Testing: A New Approach Declan O’Riordan ... Path Traversal Filter By-Pass Attack Application Logic Finding

Application Security Testing: A New Approach€¦ · Application Security Testing: A New Approach Declan O’Riordan ... Path Traversal Filter By-Pass Attack Application Logic Finding

Documents
XML To Relational Model. Key Index – Forward Traversal Backward Traversal

XML To Relational Model. Key Index – Forward Traversal Backward Traversal

Documents
Microsoft Iis 40 50 Extended Unicode Directory Traversal Vulnerability 88

Microsoft Iis 40 50 Extended Unicode Directory Traversal Vulnerability 88

Documents
VULNERABILIDAD MAJORDOMO2 - DIRECTORY TRAVERSAL (SMTP/HTTP)

VULNERABILIDAD MAJORDOMO2 - DIRECTORY TRAVERSAL (SMTP/HTTP)

Documents
NAT Traversal

NAT Traversal

Documents
08. graph traversal

08. graph traversal

Engineering
Traversal Algorithm

Traversal Algorithm

Documents
TREES Week nine-ten: Trees 1. Outline 2 Tree ADT Preorder Traversal Inorder Traversal Postorder Traversal

TREES Week nine-ten: Trees 1. Outline 2 Tree ADT Preorder Traversal Inorder Traversal Postorder Traversal

Documents
Graph Traversal Pattern

Graph Traversal Pattern

Documents
Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance

Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance

Documents
Tree Traversals A traversal is a way of walking the tree structure Some common traversals: –pre-order traversal –in-order traversal –post-order traversal

Tree Traversals A traversal is a way of walking the tree structure Some common traversals: –pre-order traversal –in-order traversal –post-order traversal

Documents