Understanding Directory Traversal

One of the critical functions of a secure Web server is controlling access to restricted directories. HTTP exploit attacks circumvent Web server security and use malicious software to access the content of restricted directories.  Directory Traversal is one such HTTP vulnerability.

The goal of a Directory Traversal attack is to execute commands that will access files that are intended to be restricted. This type of attack uses HTTP to bypass Web server and Web application security. It is enabled by insufficient and missing security measures in servers and websites.

Web servers use two types of mechanisms to prevent access unauthorized access to restricted directories and files:

The Root Directory – Limits user access to a specific directory (known as the root directory) and its subdirectories.

Access Controls Lists (ACLs) – Limits access to specific files within the root directory. Only users who are listed in the ACL for a file can access that file.

The root directory mechanism is an effective means for a Web server to prevent unauthorized users from executing files (such as cmd.exe on Windows) or accessing secure data (such as the ‘passwd’ file which is used to store passwords on Linux). Unfortunately, some Web servers have vulnerabilities in their root directory mechanism and use of ACLs.

Exploiting Directory Traversal Vulnerabilities

When Directory Traversal vulnerabilities exist, an attacker is able to access directories above the root directory. Once these directories are accessed, commands can be executed on the Web server and secure data can be copied or modified. The security of the Web server is severely compromised.

Directory traversal vulnerabilities can also be found in Web applications that run on Web servers. If an application developer fails to provide code to validate browser input, hackers can experiment with different input strings and access directories above the root.

Web Application Attack Example

For example, consider a Web application that processes an input field on a web page. The application takes character string from the input field and forms a URL that displays a dynamic page. The URL might look like this:

http://www.mycalendar.com/mydata.asp?item=tuesday.html

A hacker will notice that the parameter on the right side of ‘=’ is a web page file and guess that ‘mydata.asp’ is a script that can retrieve files. This URL is then copied by the hacker and edited. The hacker then inputs this new URL into the browser’s URL field:

http://www.mycalendar.com/mydata.asp?item=../../../../WINNT/win.ini

In the above example, the characters ‘../’ are used to access directories above the root directory. The hacker is experimenting to see if the WINNT directory is four levels up. If this is not the case, the hacker will try adding or subtracting ‘../’ characters. If a vulnerability exists in the Web application and the input is not filtered, the hacker will eventually find the correct sequence to access the WINNT directory and then can execute malicious commands.

Crafting Web Applications to Resist Attack

To avoid Directory Traversal attacks through user input, Web applications should filter and validate all inputs. Escape codes and directory paths should be filtered out to ensure that only safe inputs are passed to the Web server.

Web Server Attack Example

Possible areas of vulnerability in Web servers include scripts on the server and problems in the server software. For example, some versions of Microsoft IIS Web had vulnerabilities in the root directory validation code. Attackers could use a certain sequence of characters in a URL to execute scripts on the server.

An example of another type of vulnerability is shown in the URL below. The characters ‘%5c’ are a Web server escape code which is used to pass characters directly to the server.

http://www.mycalendar.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:

In this case, the escape code represents the character ‘’. If a Web server does not check for escape characters, then the ‘’ character will pass through. The request will cause the cmd.exe command shell program to be executed on the input string “dir c:”, which will case the contents of the c: driver to be listed. The security of the system has now been compromised.

Up-to-date Web servers check for escape codes and block them from passing through. However, older versions of Web server software do not check for escape codes and are vulnerable to directory traversal and command execution via escape codes.

Testing for Directory Traversal Vulnerabilities

One of the most important ways to block Directory Traversal attacks is to make sure you are running the latest version of Web server software. This includes applying the most current updates and patches.

For Web applications, a Web Vulnerability Scanner is the best defense against Directory Traversal vulnerabilities. Our Scanner will test for areas that are vulnerable to attack by crawling every page of a website. When vulnerability is found, the Scanner will report it and make a suggestion on how to fix it. Acunetix Web Vulnerability Scanner will also test for other common attack vulnerabilities, including Cross-site Scripting and SQL Injection.

Check if your website if vulnerable to directory traversal with Acunetix Web Vulnerability Scanner

Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross site scripting, Directory Traversal  and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist. Download the evaluation version today!

Understanding Directory TraversalOne of the critical functions of a secure Web server is controlling access to restricted directories. HTTP exploit attacks circumvent Web server security and use malicious software to access the content of restricted directories. Directory Traversal is one such HTTP exploit.The goal of a Directory Traversal attack is to execute commands that will access files that are intended to be restricted. This type of attack uses HTTP to bypass Web server and Web application security. It is enabled by insufficient and missing security measures in servers and websites.

Web servers use two types of mechanisms to prevent access unauthorized access to restricted directories and files:

The Root Directory – Limits user access to a specific directory (known as the root directory) and its subdirectories.

Access Controls Lists (ACLs) – Limits access to specific files within the root directory. Only users who are listed in the ACL for a file can access that file.

The root directory mechanism is an effective means for a Web server to prevent unauthorized users from executing files (such as cmd.exe on Windows) or accessing secure data (such as the ‘passwd’ file which is used to store passwords on Linux). Unfortunately, some Web servers have vulnerabilities in their root directory mechanism and use of ACLs.

Exploiting Directory Traversal Vulnerabilities

When Directory Traversal vulnerabilities exist, an attacker is able to access directories above the root directory. Once these directories are accessed, commands can be executed on the Web server and secure data can be copied or modified. The security of the Web server is severely compromised.

Directory traversal vulnerabilities can also be found in Web applications that run on Web servers. If an application developer fails to provide code to validate browser input, hackers can experiment with different input strings and access directories above the root.

Web Application Attack Example

For example, consider a Web application that processes an input field on a web page. The application takes character string from the input field and forms a URL that displays a dynamic page. The URL might look like this:

http://www.mycalendar.com/mydata.asp?item=tuesday.html

A hacker will notice that the parameter on the right side of ‘=’ is a web page file and guess that ‘mydata.asp’ is a script that can retrieve files. This URL is then copied by the hacker and edited. The hacker then inputs this new URL into the browser’s URL field:

http://www.mycalendar.com/mydata.asp?item=../../../../WINNT/win.ini

In the above example, the characters ‘../’ are used to access directories above the root directory. The hacker is experimenting to see if the WINNT directory is four levels up. If this is not the case, the hacker will try adding or subtracting ‘../’ characters. If a vulnerability exists in the Web application and the input is not filtered, the hacker will eventually find the correct sequence to access the WINNT directory and then can execute malicious commands.

Crafting Web Applications to Resist Attack

To avoid Directory Traversal attacks through user input, Web applications should filter and validate all inputs. Escape codes and directory paths should be filtered out to ensure that only safe inputs are passed to the Web server.

Web Server Attack Example

Possible areas of vulnerability in Web servers include scripts on the server and problems in the server software. For example, some versions of Microsoft IIS Web had vulnerabilities in the root directory validation code. Attackers could use a certain sequence of characters in a URL to execute scripts on the server.

An example of another type of vulnerability is shown in the URL below. The characters ‘%5c’ are a Web server escape code which is used to pass characters directly to the server.

http://www.mycalendar.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:

In this case, the escape code represents the character ‘’. If a Web server does not check for escape characters, then the ‘’ character will pass through. The request will cause the cmd.exe command shell program to be executed on the input string “dir c:”, which will case the contents of the c: driver to be listed. The security of the system has now been compromised.

Up-to-date Web servers check for escape codes and block them from passing through. However, older versions of Web server software do not check for escape codes and are vulnerable to directory traversal and command execution via escape codes.

Testing for Directory Traversal Vulnerabilities

One of the most important ways to block Directory Traversal attacks is to make sure you are running the latest version of Web server software. This includes applying the most current updates and patches.

For Web applications, a Web Vulnerability Scanner is the best defense against Directory Traversal vulnerabilities. Our Scanner will test for areas that are vulnerable to attack by crawling every page of a website. When vulnerability is found, the Scanner will report it and make a suggestion on how to fix it. Our Web Vulnerability Scanner will also test for other common attack vulnerabilities, including Cross-site Scripting and SQL Injection.

SHARE THIS POST
THE AUTHOR
Acunetix

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.