Directory Traversal attack; what is it and how to prevent such attacks

If a web application or web server are vulnerable to a Directory Traversal attack, a malicious user can exploit this vulnerability to step out of the web root directory and access other restricted files and directories of the file system. Typically, this also gives the malicious user the ability to execute commands on the web server which will lead to a full compromise of the system.

Secure access control is crucial in web server and web application configurations since a website is always exposed and will always  be a target!

In the following article you can read more and learn (using examples) about Directory Traversal attacks, how to check for them and most important of all, how to prevent them.

  • Isn’t a possible way to prevent attacks based on directory traversal is to have complex names for the sub-folders?

  • Do you mean that you have a complex/long path (with a lot of sub-folders) and the attacker doesn’t know how many directories to step back?

    If this is your question, the answer is no. You don’t have to guess exactly the number of subdirectories to step back. You can just use a large number, like ../../../../../../../../../../../ and if there are enough of them it will work.
    If you have too many it’s not a problem because the operating system will not mind.

    The real solution is to properly validate the input and only allow valid characters.

  • Leave a Reply

    Your email address will not be published.