Testing Directory traversal/file include (OTG-AUTHZ-001) - Revision history

Tony Hsu HsiangChih: /* Tools */

2016-04-02T01:25:09Z

‎Tools

Jarrod Stenberg: /* Testing Techniques */

2015-04-28T19:05:40Z

‎Testing Techniques

Jarrod Stenberg: /* Testing Techniques */ Added additional fun to be had with URL as malicious input.

2015-04-28T19:05:07Z

‎Testing Techniques: Added additional fun to be had with URL as malicious input.

Andrew Muller: Andrew Muller moved page Testing for Path Traversal (OTG-AUTHZ-001) to Testing Directory traversal/file include (OTG-AUTHZ-001)

2014-08-08T12:44:55Z

Andrew Muller moved page Testing for Path Traversal (OTG-AUTHZ-001) to Testing Directory traversal/file include (OTG-AUTHZ-001)

Andrew Muller: Andrew Muller moved page Testing for Path Traversal (OTG-AUTHZ-002) to Testing for Path Traversal (OTG-AUTHZ-001)

2014-08-08T11:56:25Z

Andrew Muller moved page Testing for Path Traversal (OTG-AUTHZ-002) to Testing for Path Traversal (OTG-AUTHZ-001)

Andrew Muller at 14:32, 5 August 2014

2014-08-05T14:32:57Z

Andrew Muller: Andrew Muller moved page Testing for Path Traversal (OWASP-AZ-001) to Testing for Path Traversal (OTG-AUTHZ-002): Align with Common Numbering

2014-08-05T13:15:29Z

Andrew Muller moved page Testing for Path Traversal (OWASP-AZ-001) to Testing for Path Traversal (OTG-AUTHZ-002): Align with Common Numbering

Jane O'Connor: Added Andrew's changes.

2014-08-01T20:05:34Z

Added Andrew's changes.

Jane O'Connor: Final edit

2014-05-14T18:49:17Z

Final edit

Show changes

Lvsteche: Minor corrections/rewrites.

2014-03-24T12:01:07Z

Minor corrections/rewrites.

Show changes

@@ Line 227: / Line 227: @@
 * Enconding/Decoding tools
 * String searcher "grep" - http://www.gnu.org/software/grep/
+* DirBuster - https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
 == References ==

@@ Line 77: / Line 77: @@
 </pre>
-If protocols are accepted as arguments, as in the above examples, it's also possible to probe the local services (e.g., http://localhost...) and nearby services.
+If protocols are accepted as arguments, as in the above examples, it's also possible to probe the local services and nearby services.
 <pre>
 http://example.com/index.php?file=http://localhost:8080 or http://example.com/index.php?file=http://192.168.0.2:9080

@@ Line 69: / Line 69: @@
 <pre>
 http://example.com/index.php?file=http://www.owasp.org/malicioustxt
 </pre>
@@ Line 166: / Line 177: @@
 ** May be equivalent to a drive letter such as c:\, or even a drive volume without an assigned letter.<br><pre>\\.\GLOBALROOT\Device\HarddiskVolume1\</pre>
 ** Refers to the first disc drive on the machine.<br><pre>\\.\CdRom0\</pre>
 === Gray Box testing ===

@@ Line 1: / Line 1: @@
 {{Template:OWASP Testing Guide v4}}
-== Brief Summary ==
+== Summary ==
 Many web applications use and manage files as part of their daily operation. Using input validation methods that have not been well designed or deployed, an aggressor could exploit the system in order to read or write files that are not intended to be accessible. In particular situations, it could be possible to execute arbitrary code or system commands.
@@ Line 21: / Line 21: @@
 <br>
-==How to test==
+==How to Test==
-== Black Box testing and example ==
+=== Black Box testing ===
-('''a''') '''Input Vectors Enumeration'''<br>
+====Input Vectors Enumeration====
 In order to determine which part of the application is vulnerable to input validation bypassing, the tester needs to enumerate all parts of the application that accept content from the user. This also includes HTTP GET and POST queries and common options like file uploads and HTML forms.
@@ Line 48: / Line 48: @@
-('''b''') '''Testing Techniques'''
+====Testing Techniques====
 The next stage of testing is analyzing the input validation functions present in the web application. Using the previous example, the dynamic page called ''getUserProfile.jsp'' loads static information from a file and shows the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/UNIX system. Obviously, this kind of attack is possible only if the validation checkpoint fails; according to the file system privileges, the web application itself must be able to read the file.
@@ Line 168: / Line 168: @@
-== Gray Box testing and example ==
+=== Gray Box testing ===
 When the analysis is performed with a Gray Box approach, testers have to follow the same methodology as in Black Box Testing. However, since they can review the source code, it is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately. During a source code review, they can use simple tools (such as the ''grep'' command) to search for one or more common patterns within the application code: inclusion functions/methods, filesystem operations, and so on.
@@ Line 210: / Line 210: @@
 <br>
 ==Tools==
 * DotDotPwn - The Directory Traversal Fuzzer - http://dotdotpwn.sectester.net
 * Path Traversal Fuzz Strings (from WFuzz Tool) - http://code.google.com/p/wfuzz/source/browse/trunk/wordlist/Injections/Traversal.txt
-* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project],''OWASP: Zed Attack Proxy (ZAP)''[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project])
+* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project],''OWASP: Zed Attack Proxy (ZAP)''[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project])
 * Enconding/Decoding tools
 * String searcher "grep" - http://www.gnu.org/software/grep/
 <br>

@@ Line 2: / Line 2: @@
 == Brief Summary ==
 Many web applications use and manage files as part of their daily operation. Using input validation methods that have not been well designed or deployed, an aggressor could exploit the system in order to read or write files that are not intended to be accessible. In particular situations, it could be possible to execute arbitrary code or system commands.
-===How to Avoid Path Traversal Vulnerabilities===
+Traditionally, web servers and web applications implement authentication mechanisms to control access to files and resources. Web servers try to confine users' files inside a "root directory" or "web document root", which represents a physical directory on the file system. Users have to consider this directory as the base directory into the hierarchical structure of the web application.
-See the [[:Category:OWASP Guide Project|OWASP Guide]] article on how to [[File_System#Path_traversal|Avoid Path Traversal ]] Vulnerabilities.
+The definition of the privileges is made using Access Control Lists (ACL) which identify which users or groups are supposed to be able to access, modify, or execute a specific file on the server. These mechanisms are designed to prevent malicious users from accessing sensitive files (for example, the common /etc/passwd file on a UNIX-like platform) or to avoid the execution of system commands.
-===How to Review Code for Path Traversal  Vulnerabilities===
+In web servers and web applications, this kind of problem arises in path traversal/file include attacks. By exploiting this kind of vulnerability, an attacker is able to read directories or files which they normally couldn't read, access data outside the web document root, or include scripts and other kinds of files from external websites.
-See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for Path Traversal  |Review Code for Path Traversal ]] Vulnerabilities.
+For the purpose of the OWASP Testing Guide, only the security threats related to web applications will be considered and not threats to web servers (e.g., the infamous "%5c escape code" into Microsoft IIS web server). Further reading suggestions will be provided in the references section for interested readers.
 During an assessment, to discover path traversal and file include flaws, testers need to perform two different stages:
@@ Line 49: / Line 21: @@
 <br>
 == Black Box testing and example ==
 ('''a''') '''Input Vectors Enumeration'''<br>
@@ Line 242: / Line 215: @@
 * Windows File Pseudonyms: Pwnage and Poetry - http://www.slideshare.net/BaronZor/windows-file-pseudonyms[http://www.slideshare.net/BaronZor/windows-file-pseudonyms]
 <br>
-'''Tools'''
 * DotDotPwn - The Directory Traversal Fuzzer - http://dotdotpwn.sectester.net
 * Path Traversal Fuzz Strings (from WFuzz Tool) - http://code.google.com/p/wfuzz/source/browse/trunk/wordlist/Injections/Traversal.txt
-* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project])
+* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project],''OWASP: Zed Attack Proxy (ZAP)''[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project])
 * Enconding/Decoding tools
 * String searcher "grep" - http://www.gnu.org/software/grep/
 <br>

← Older revision	Revision as of 12:44, 8 August 2014
(No difference)

← Older revision	Revision as of 11:56, 8 August 2014
(No difference)

← Older revision	Revision as of 13:15, 5 August 2014
(No difference)