This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Projects/OWASP Path Traverser"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:Project About
 
{{Template:Project About
| project_name =OWASP Path Traverser
+
| project_name ='''OWASP Path Traverser'''
 
| project_home_page =OWASP_Path_Traverser
 
| project_home_page =OWASP_Path_Traverser
 
| project_description =Path Traverser is a tool for security testing of web applications.
 
| project_description =Path Traverser is a tool for security testing of web applications.
Line 7: Line 7:
 
It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path.  
 
It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path.  
  
After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out the list of files.
+
After you have provided the relevant details, Path Traverser will connect (sFTP/SSH) to your host server in order to pull out the list of files.
 
Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths.
 
Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths.
  
If your application could be found at: http://mysrvr:777/home  
+
If your application could be found at: ''<nowiki>http://mysrvr:777/home</nowiki>''
and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion/, requests for files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under/myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc...
+
and the application files could be found in the file system under: ''myapps/demoapp/client/version/lastversion''/, requests for files under: ''/myapps/demoapp/client/version/1.1/'' will be created as: ''<nowiki>http://mysrvr:777/home/../1.1/</nowiki>''  and requests for files under: ''/myapp/differentapp/files/'' will be created as: ''<nowiki>http://mysrvr:777/home/../../../../differentapp/files/</nowiki>'' , etc...
  
 
After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected.
 
After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected.
  
 
A configuration for excluding/including specific file types is available.
 
A configuration for excluding/including specific file types is available.
| project_license =Attribution-NonCommercial-NoDerivs 3.0 Unported (CC BY-NC-ND 3.0
+
| project_license =Attribution 3.0 Unported (CC BY 3.0)
 
| leader_name1 =Tal Melamed
 
| leader_name1 =Tal Melamed
 
| leader_email1 [email protected]  
 
| leader_email1 [email protected]  

Revision as of 10:46, 29 August 2013

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Path Traverser (home page)
Purpose: Path Traverser is a tool for security testing of web applications.

Path Traverser simulates a real Path Traversal attack, only with actual existing files It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path.

After you have provided the relevant details, Path Traverser will connect (sFTP/SSH) to your host server in order to pull out the list of files. Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths.

If your application could be found at: http://mysrvr:777/home and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion/, requests for files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under: /myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/ , etc...

After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected.

A configuration for excluding/including specific file types is available.

License: Attribution 3.0 Unported (CC BY 3.0)
who is working on this project?
Project Leader(s):
  • Tal Melamed @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Tal Melamed @ to contribute to this project
  • Contact Tal Melamed @ to review or sponsor this project
current release
GitHub


last reviewed release
Not Yet Reviewed


other releases