Imagine your house is full of rooms with various doors, some leading to secure areas like your personal office or a safe room. Now, what if someone knew a trick to bypass the usual routes and access these rooms directly, stealing or tampering with your valuables, such as your 419-karat gold chain, expensive perfume, or even your vintage Kolo box. This is essentially what happens in a path traversal attack. What is Path Traversal? Path traversal, also known as directory traversal, is a type of vulnerability found in web applications. It allows attackers to access files and directories stored outside the web root folder, which they typically shouldn't be able to reach, that's for the chefs, a.k.a Backend Engineers. These files can contain sensitive information like application code, user data, credentials, and even system files, which can be exploited to gain further control over the server. How Path Traversal Works Say there's a web application, a sinister yahooyahoo online shopping store used to trade illegally, much like Darkmarket, with its name actually being yahooyahoo! Dumb I know, had to do with something about hiding in plain sight by the admin who's now in jail :). The application loads an image using a URL like this: <img src="/loadImage?filename=218.png"> In the backend, the server processes this request by appending the filename to a base directory: /var/www/images/218.png However, if there are no defenses against path traversal, an attacker; in this case EFCC, can manipulate the filename parameter to access other files on the server such as account info of the users. For instance, they might try: https://yahooyahoo.com/loadImage?filename=../../../etc/passwd This request instructs the server to load a file by stepping up three directory levels from the base path and then accessing the /etc/passwd file, a critical system file on Unix-like systems. The server constructs the path like this: /var/www/images/../../../etc/passwd The ../ sequence moves up one directory level. So, the path resolves to: /etc/passwd The Power and Might of ../ Sequence When you hear of Sequence in Web-Sec, just think of Navigation. Think of ../ as a way to go up one level in a directory structure, like climbing a ladder to the floor above: A single ../ takes you one level up. ../../ takes you two levels up. ../../../ takes you three levels up, and so on. In a computer file system: Starting at /home/user/documents/projects, ../ takes you to /home/user/documents. ../../ would take you to /home/user. ../../../ brings you to /home. To better understand this: Imagine you're in a large hotel, Hotel 3FCC. You start in room 419 (4th floor, 19th room). Using ../: ../ means stepping out into the hallway (up one level in directory terms). ../../ means taking the elevator down to the 3rd floor. ../../../ means going down to the 2nd floor. Hotel Layout: Hotel: --------------------- (Floors) | | +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (Your Room)| | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Path Traversal Steps: Initial Position: Room 419 on the 4th Floor Current Path: /home/user/documents/projects Hotel Analogy: You are in Room 419 on the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (You) | | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Step 1: Using ../ to move up one level to the hallway of the 4th floor New Path: /home/user/documents Hotel Analogy: Stepping out into the hallway of the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | | Room 419 | | | | | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Step 2: Using ../../ to move up two levels to the 3rd Floor New Path: /home/user Hotel Analogy: Taking the elevator down to the 3rd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | (You) | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | Room 319 | Room 419 | | | | (Empty) | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 320 | | | | | | | | | +-------------+ +-------------+ | | | | | +-------------+-------------+-------------+-------------+ Step 3: Using ../../../ to move up three levels to the 2nd Floor New Path: /home Hotel Analogy: Taking the elevator down to the 2nd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | (You) | (Empty) | (Hallway) | +-------------+-------------+-------------+-------------+ | | Room 219 | Room 319 | Room 419 | | | | (Empty) | (Empty) | | +-------------+ +-------------+ | | Room 220 | Room 320 | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ Defenses and Bypasses To prevent these attacks, many applications strip out directory traversal sequences from user input. But clever attackers often find ways to bypass these defenses. For instance, they might use an absolute path directly from the root: filename=/etc/passwd Or, they might use nested traversal sequences like ....//, which, after stripping, still leaves a valid traversal sequence: https://yahooyahoo.com/loadImage?filename=....//etc/passwd Here’s how nested sequences work: User input: ....//etc/passwd Application strips ../: The sequence ....// reverts to ../ Resulting path: /var/www/images/../etc/passwd Final path resolves to: /etc/passwd URL Encoding Tricks Another trick involves URL encoding (I'll be writing an article on URL encoding soon), where characters like ../ are represented in encoded forms (%2e%2e%2f). For example: filename=%2e%2e%2f%2e%2e%2fetc/passwd This can trick the application into processing it as valid input. Protecting Against Path Traversal To defend against path traversal: Avoid using user input in filesystem APIs whenever possible. Validate user inputs rigorously: Use a whitelist of allowed values. Allow only specific characters (e.g., alphanumeric). Canonicalize the path: Ensure the resolved path starts with the expected base directory. Real-Life Examples of Path Traversal Attacks 1. Apache Struts CVE-2017-5638 In 2017, a critical vulnerability was discovered in Apache Struts, a popular open-source web application framework. The vulnerability (CVE-2017-5638) allowed attackers to exploit path traversal to read and execute arbitrary files on the server. This was part of the attack vector used in the massive Equifax data breach, which exposed personal information of over 147 million people. Attackers leveraged the vulnerability to execute remote code, gaining access to sensitive data. 2. Fortinet FortiOS Path Traversal (CVE-2018-13379) In 2018, a path traversal vulnerability (CVE-2018-13379) was discovered in Fortinet's FortiOS SSL VPN web portal. The flaw allowed unauthenticated attackers to download system files via specially crafted HTTP resource requests. By exploiting this, attackers could access sensitive information such as password files and VPN session details, compromising the security of the entire network. 3. Magento eCommerce Platform Magento, a popular eCommerce platform, has been subject to multiple path traversal vulnerabilities over the years. One such vulnerability allowed attackers to exploit the file upload mechanism to upload malicious files by bypassing directory restrictions. This could lead to remote code execution, enabling attackers to take over the web server and access sensitive customer information and payment data. 4. Nokia Store App In 2012, a significant path traversal vulnerability was found in the Nokia Store app. The issue allowed attackers to download arbitrary files from the server. By manipulating the URL parameters, attackers could access restricted directories and sensitive files, potentially exposing user data and internal configurations. 5. Rubygems.org Path Traversal (CVE-2020-25613) In 2020, a path traversal vulnerability was identified in Rubygems.org, the Ruby community’s gem hosting service. The vulnerability (CVE-2020-25613) allowed attackers to manipulate file paths and download arbitrary files from the server. This posed a significant risk as it could potentially expose sensitive configuration files and credentials stored on the server. 6. Cisco ASA Path Traversal Vulnerability (CVE-2018-0296) Cisco's Adaptive Security Appliance (ASA) software was found to have a critical path traversal vulnerability (CVE-2018-0296) in 2018. This allowed unauthenticated attackers to send crafted HTTP requests to gain access to sensitive system files. Exploiting this flaw, attackers could obtain information about the device configuration, potentially aiding in further attacks against the network. 7. GitHub Enterprise Server Path Traversal (CVE-2020-10546) In 2020, a path traversal vulnerability (CVE-2020-10546) was discovered in GitHub Enterprise Server. This vulnerability allowed attackers to access arbitrary files on the server by manipulating URL paths. Exploiting this, an attacker could gain access to sensitive information such as repository files and configuration data, posing a significant security risk to the affected enterprises. 8. WordPress Plugin Vulnerabilities Many WordPress plugins have been found vulnerable to path traversal attacks. For instance, the popular plugin "Duplicate Page" had a path traversal vulnerability that allowed attackers to read arbitrary files from the server. Such vulnerabilities in widely used plugins pose significant risks as they can affect a large number of websites, potentially exposing sensitive data and enabling further attacks. Final words I'm not supposed to be writing an article telling you this (lol), but sometimes the most secure doors have hidden keys – and in the world of web security, path traversal is one key you definitely don't want falling into the wrong hands. Path traversal vulnerabilities extend beyond what I have shown here but see this as a starting point, a good magician never reveals his secrets :). Path traversal vulnerabilities are like hidden passages in a fortress, allowing attackers to slip through defenses and wreak havoc. By understanding how these attacks work and implementing defenses, we can better protect our digital fortresses from unauthorized access. Always validate and sanitize user inputs, and regularly, I mean regularly review your code and server configurations to close off any potential exploits. Mischief Managed. Resources: Portswigger (Web Security Academy) Wikipedia Imagine your house is full of rooms with various doors, some leading to secure areas like your personal office or a safe room. Now, what if someone knew a trick to bypass the usual routes and access these rooms directly, stealing or tampering with your valuables, such as your 419-karat gold chain, expensive perfume, or even your vintage Kolo box . This is essentially what happens in a path traversal attack. Kolo box What is Path Traversal? Path traversal, also known as directory traversal, is a type of vulnerability found in web applications. It allows attackers to access files and directories stored outside the web root folder, which they typically shouldn't be able to reach, that's for the chefs, a.k.a Backend Engineers. These files can contain sensitive information like application code, user data, credentials, and even system files, which can be exploited to gain further control over the server. How Path Traversal Works Say there's a web application, a sinister yahooyahoo online shopping store used to trade illegally, much like Darkmarket , with its name actually being yahooyahoo ! Dumb I know, had to do with something about hiding in plain sight by the admin who's now in jail :). yahooyahoo Darkmarket yahooyahoo sight The application loads an image using a URL like this: <img src="/loadImage?filename=218.png"> <img src="/loadImage?filename=218.png"> In the backend, the server processes this request by appending the filename to a base directory: /var/www/images/218.png /var/www/images/218.png However, if there are no defenses against path traversal, an attacker; in this case EFCC , can manipulate the filename parameter to access other files on the server such as account info of the users. EFCC filename parameter For instance, they might try: https://yahooyahoo.com/loadImage?filename=../../../etc/passwd https://yahooyahoo.com/loadImage?filename=../../../etc/passwd This request instructs the server to load a file by stepping up three directory levels from the base path and then accessing the /etc/passwd file, a critical system file on Unix-like systems. /etc/passwd The server constructs the path like this: /var/www/images/../../../etc/passwd /var/www/images/../../../etc/passwd The ../ sequence moves up one directory level. So, the path resolves to: ../ /etc/passwd /etc/passwd The Power and Might of ../ Sequence ../ When you hear of Sequence in Web-Sec, just think of Navigation . Sequence Navigation Think of ../ as a way to go up one level in a directory structure, like climbing a ladder to the floor above: ../ A single ../ takes you one level up. ../../ takes you two levels up. ../../../ takes you three levels up, and so on. A single ../ takes you one level up. ../ ../../ takes you two levels up. ../../ ../../../ takes you three levels up, and so on. ../../../ In a computer file system: Starting at /home/user/documents/projects, ../ takes you to /home/user/documents. ../../ would take you to /home/user. ../../../ brings you to /home. Starting at /home/user/documents/projects , ../ takes you to /home/user/documents . /home/user/documents/projects ../ /home/user/documents ../../ would take you to /home/user . ../../ /home/user ../../../ brings you to /home . ../../../ /home To better understand this: To better understand this: Imagine you're in a large hotel, Hotel 3FCC. You start in room 419 (4th floor, 19th room). Using ../ : ../ ../ means stepping out into the hallway (up one level in directory terms). ../../ means taking the elevator down to the 3rd floor. ../../../ means going down to the 2nd floor. ../ means stepping out into the hallway (up one level in directory terms). ../ ../../ means taking the elevator down to the 3rd floor. ../../ ../../../ means going down to the 2nd floor. ../../../ Hotel Layout: Hotel: --------------------- (Floors) | | +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (Your Room)| | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Hotel: --------------------- (Floors) | | +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (Your Room)| | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Path Traversal Steps: Initial Position: Room 419 on the 4th Floor Current Path: /home/user/documents/projects Hotel Analogy: You are in Room 419 on the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (You) | | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Step 1: Using ../ to move up one level to the hallway of the 4th floor New Path: /home/user/documents Hotel Analogy: Stepping out into the hallway of the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | | Room 419 | | | | | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Step 2: Using ../../ to move up two levels to the 3rd Floor New Path: /home/user Hotel Analogy: Taking the elevator down to the 3rd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | (You) | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | Room 319 | Room 419 | | | | (Empty) | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 320 | | | | | | | | | +-------------+ +-------------+ | | | | | +-------------+-------------+-------------+-------------+ Step 3: Using ../../../ to move up three levels to the 2nd Floor New Path: /home Hotel Analogy: Taking the elevator down to the 2nd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | (You) | (Empty) | (Hallway) | +-------------+-------------+-------------+-------------+ | | Room 219 | Room 319 | Room 419 | | | | (Empty) | (Empty) | | +-------------+ +-------------+ | | Room 220 | Room 320 | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ Initial Position: Room 419 on the 4th Floor Current Path: /home/user/documents/projects Hotel Analogy: You are in Room 419 on the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (You) | | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Initial Position : Room 419 on the 4th Floor Initial Position Current Path: /home/user/documents/projects Hotel Analogy: You are in Room 419 on the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (You) | | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Current Path: /home/user/documents/projects Current Path : /home/user/documents/projects Current Path /home/user/documents/projects Hotel Analogy: You are in Room 419 on the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (You) | | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Hotel Analogy : You are in Room 419 on the 4th Floor Hotel Analogy +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (You) | | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Step 1: Using ../ to move up one level to the hallway of the 4th floor New Path: /home/user/documents Hotel Analogy: Stepping out into the hallway of the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | | Room 419 | | | | | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Step 1 : Using ../ to move up one level to the hallway of the 4th floor Step 1 ../ New Path: /home/user/documents Hotel Analogy: Stepping out into the hallway of the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | | Room 419 | | | | | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ New Path: /home/user/documents New Path : /home/user/documents New Path /home/user/documents Hotel Analogy: Stepping out into the hallway of the 4th Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | | Room 419 | | | | | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Hotel Analogy : Stepping out into the hallway of the 4th Floor Hotel Analogy +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | | Room 419 | | | | | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+ Step 2: Using ../../ to move up two levels to the 3rd Floor New Path: /home/user Hotel Analogy: Taking the elevator down to the 3rd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | (You) | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | Room 319 | Room 419 | | | | (Empty) | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 320 | | | | | | | | | +-------------+ +-------------+ | | | | | +-------------+-------------+-------------+-------------+ Step 2 : Using ../../ to move up two levels to the 3rd Floor Step 2 ../../ New Path: /home/user Hotel Analogy: Taking the elevator down to the 3rd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | (You) | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | Room 319 | Room 419 | | | | (Empty) | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 320 | | | | | | | | | +-------------+ +-------------+ | | | | | +-------------+-------------+-------------+-------------+ New Path: /home/user New Path : /home/user New Path /home/user Hotel Analogy: Taking the elevator down to the 3rd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | (You) | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | Room 319 | Room 419 | | | | (Empty) | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 320 | | | | | | | | | +-------------+ +-------------+ | | | | | +-------------+-------------+-------------+-------------+ Hotel Analogy : Taking the elevator down to the 3rd Floor Hotel Analogy +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | (You) | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | Room 319 | Room 419 | | | | (Empty) | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 320 | | | | | | | | | +-------------+ +-------------+ | | | | | +-------------+-------------+-------------+-------------+ Step 3: Using ../../../ to move up three levels to the 2nd Floor New Path: /home Hotel Analogy: Taking the elevator down to the 2nd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | (You) | (Empty) | (Hallway) | +-------------+-------------+-------------+-------------+ | | Room 219 | Room 319 | Room 419 | | | | (Empty) | (Empty) | | +-------------+ +-------------+ | | Room 220 | Room 320 | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ Step 3 : Using ../../../ to move up three levels to the 2nd Floor Step 3 ../../../ New Path: /home Hotel Analogy: Taking the elevator down to the 2nd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | (You) | (Empty) | (Hallway) | +-------------+-------------+-------------+-------------+ | | Room 219 | Room 319 | Room 419 | | | | (Empty) | (Empty) | | +-------------+ +-------------+ | | Room 220 | Room 320 | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ New Path: /home New Path : /home New Path /home Hotel Analogy: Taking the elevator down to the 2nd Floor +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | (You) | (Empty) | (Hallway) | +-------------+-------------+-------------+-------------+ | | Room 219 | Room 319 | Room 419 | | | | (Empty) | (Empty) | | +-------------+ +-------------+ | | Room 220 | Room 320 | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ Hotel Analogy : Taking the elevator down to the 2nd Floor Hotel Analogy +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | (You) | (Empty) | (Hallway) | +-------------+-------------+-------------+-------------+ | | Room 219 | Room 319 | Room 419 | | | | (Empty) | (Empty) | | +-------------+ +-------------+ | | Room 220 | Room 320 | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ Defenses and Bypasses To prevent these attacks, many applications strip out directory traversal sequences from user input. But clever attackers often find ways to bypass these defenses. For instance, they might use an absolute path directly from the root: filename=/etc/passwd filename=/etc/passwd Or, they might use nested traversal sequences like ....// , which, after stripping, still leaves a valid traversal sequence: ....// https://yahooyahoo.com/loadImage?filename=....//etc/passwd https://yahooyahoo.com/loadImage?filename=....//etc/passwd Here’s how nested sequences work: User input: ....//etc/passwd Application strips ../: The sequence ....// reverts to ../ Resulting path: /var/www/images/../etc/passwd Final path resolves to: /etc/passwd User input: ....//etc/passwd ....//etc/passwd Application strips ../ : The sequence ....// reverts to ../ ../ ....// ../ Resulting path: /var/www/images/../etc/passwd /var/www/images/../etc/passwd Final path resolves to: /etc/passwd /etc/passwd URL Encoding Tricks Another trick involves URL encoding (I'll be writing an article on URL encoding soon), where characters like ../ are represented in encoded forms ( %2e%2e%2f ). For example: ../ %2e%2e%2f filename=%2e%2e%2f%2e%2e%2fetc/passwd filename=%2e%2e%2f%2e%2e%2fetc/passwd This can trick the application into processing it as valid input. Protecting Against Path Traversal To defend against path traversal: Avoid using user input in filesystem APIs whenever possible. Validate user inputs rigorously: Use a whitelist of allowed values. Allow only specific characters (e.g., alphanumeric). Canonicalize the path: Ensure the resolved path starts with the expected base directory. Avoid using user input in filesystem APIs whenever possible. Avoid using user input in filesystem APIs Validate user inputs rigorously : Use a whitelist of allowed values. Allow only specific characters (e.g., alphanumeric). Validate user inputs rigorously Use a whitelist of allowed values. Allow only specific characters (e.g., alphanumeric). Use a whitelist of allowed values. Allow only specific characters (e.g., alphanumeric). Canonicalize the path : Ensure the resolved path starts with the expected base directory. Canonicalize the path Ensure the resolved path starts with the expected base directory. Ensure the resolved path starts with the expected base directory. Real-Life Examples of Path Traversal Attacks 1. Apache Struts CVE-2017-5638 Apache Struts CVE-2017-5638 In 2017, a critical vulnerability was discovered in Apache Struts, a popular open-source web application framework. The vulnerability (CVE-2017-5638) allowed attackers to exploit path traversal to read and execute arbitrary files on the server. This was part of the attack vector used in the massive Equifax data breach, which exposed personal information of over 147 million people. Attackers leveraged the vulnerability to execute remote code, gaining access to sensitive data. 2. Fortinet FortiOS Path Traversal (CVE-2018-13379) Fortinet FortiOS Path Traversal (CVE-2018-13379) In 2018, a path traversal vulnerability (CVE-2018-13379) was discovered in Fortinet's FortiOS SSL VPN web portal. The flaw allowed unauthenticated attackers to download system files via specially crafted HTTP resource requests. By exploiting this, attackers could access sensitive information such as password files and VPN session details, compromising the security of the entire network. 3. Magento eCommerce Platform Magento eCommerce Platform Magento, a popular eCommerce platform, has been subject to multiple path traversal vulnerabilities over the years. One such vulnerability allowed attackers to exploit the file upload mechanism to upload malicious files by bypassing directory restrictions. This could lead to remote code execution, enabling attackers to take over the web server and access sensitive customer information and payment data. 4. Nokia Store App Nokia Store App In 2012, a significant path traversal vulnerability was found in the Nokia Store app. The issue allowed attackers to download arbitrary files from the server. By manipulating the URL parameters, attackers could access restricted directories and sensitive files, potentially exposing user data and internal configurations. 5. Rubygems.org Path Traversal (CVE-2020-25613) Rubygems.org Path Traversal (CVE-2020-25613) In 2020, a path traversal vulnerability was identified in Rubygems.org, the Ruby community’s gem hosting service. The vulnerability (CVE-2020-25613) allowed attackers to manipulate file paths and download arbitrary files from the server. This posed a significant risk as it could potentially expose sensitive configuration files and credentials stored on the server. 6. Cisco ASA Path Traversal Vulnerability (CVE-2018-0296) Cisco ASA Path Traversal Vulnerability (CVE-2018-0296) Cisco's Adaptive Security Appliance (ASA) software was found to have a critical path traversal vulnerability (CVE-2018-0296) in 2018. This allowed unauthenticated attackers to send crafted HTTP requests to gain access to sensitive system files. Exploiting this flaw, attackers could obtain information about the device configuration, potentially aiding in further attacks against the network. 7. GitHub Enterprise Server Path Traversal (CVE-2020-10546) GitHub Enterprise Server Path Traversal (CVE-2020-10546) In 2020, a path traversal vulnerability (CVE-2020-10546) was discovered in GitHub Enterprise Server. This vulnerability allowed attackers to access arbitrary files on the server by manipulating URL paths. Exploiting this, an attacker could gain access to sensitive information such as repository files and configuration data, posing a significant security risk to the affected enterprises. 8. WordPress Plugin Vulnerabilities WordPress Plugin Vulnerabilities Many WordPress plugins have been found vulnerable to path traversal attacks. For instance, the popular plugin "Duplicate Page" had a path traversal vulnerability that allowed attackers to read arbitrary files from the server. Such vulnerabilities in widely used plugins pose significant risks as they can affect a large number of websites, potentially exposing sensitive data and enabling further attacks. Final words I'm not supposed to be writing an article telling you this (lol), but sometimes the most secure doors have hidden keys – and in the world of web security, path traversal is one key you definitely don't want falling into the wrong hands. Path traversal vulnerabilities extend beyond what I have shown here but see this as a starting point, a good magician never reveals his secrets :). Path traversal vulnerabilities are like hidden passages in a fortress, allowing attackers to slip through defenses and wreak havoc. By understanding how these attacks work and implementing defenses, we can better protect our digital fortresses from unauthorized access. Always validate and sanitize user inputs, and regularly, I mean regularly review your code and server configurations to close off any potential exploits. Mischief Managed. Mischief Managed. Resources: Resources: Portswigger (Web Security Academy) Wikipedia
