This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Periodic Table of Vulnerabilities - Path Traversal

From OWASP
Revision as of 17:11, 23 July 2013 by James Landis (talk | contribs) (Posting on behalf of Rajat)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View


Path Traversal

Root Cause Summary

File resources are accessed using, user-supplied data, allowing a malicious user to access files that he/she is not authorized to access.


Browser / Standards Solution

<browser/standards solutions here>


Perimeter Solution

· Canonicalize URLs and prevent directory access outside the web root.

Generic Framework Solution

· Provide safe libraries for accessing the file system that canonicalize path references and enforce proper access control.

· Provide a method that can compare the cononicalized path to a whitelist of paths that can be accessed by the user of the application for given access level of the application.

· Provide safe methods that do not let the file extension be tampered with of the intended resource input.

· Input validation to remove “..” from the user supplied data.

Custom Framework Solution

<custom framework solutions here>


Custom Code Solution

<custom code solutions here>


Discussion / Controversy

<discussion / controversy tracking here>


References

http://en.wikipedia.org/wiki/Directory_traversal_attack

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_Path_Traversal&oldid=155927"