Testing Directory traversal/file include (OTG-AUTHZ-001)
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
- 1 Brief Summary
- 2 Related Security Activities
- 3 Description of the Issue
- 4 Black Box testing and example
- 5 Gray Box testing and example
- 6 References
Many web applications use and manage files as part of their daily operation. Using input validation methods that have not been well designed or deployed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible. In particular situations, it could be possible to execute arbitrary code or system commands.
Related Security Activities
Description of Path Traversal Vulnerabilities
See the OWASP article on Path Traversal Vulnerabilities.
See the OWASP article on Relative Path Traversal Vulnerabilities.
How to Avoid Path Traversal Vulnerabilities
How to Review Code for Path Traversal Vulnerabilities
Description of the Issue
Traditionally, web servers and web applications implement authentication mechanisms in order to control access to files and resources. Web servers try to confine users' files inside a "root directory" or "web document root" which represent a physical directory on the file system; users have to consider this directory as the base directory into the hierarchical structure of the web application. The definition of the privileges is made using Access Control Lists (ACL) that identify which users or groups are supposed to be able to access, modify, or execute a specific file on the server. These mechanisms are designed to prevent access to sensitive files from malicious users (for example, the common /etc/passwd file on a Unix-like platform) or to avoid the execution of system commands.
Many web applications use server-side scripts to include different kinds of files: it is quite common to use this method to manage graphics, templates, load static texts, and so on. Unfortunately, these applications expose security vulnerabilities if input parameters (i.e., form parameters, cookie values) are not correctly validated.
In web servers and web applications, this kind of problem arises in directory traversal/file include attacks. By exploiting this kind of vulnerability, an attacker is able to read directories or files which he/she normally couldn't read, access data outside the web document root, or include scripts and other kinds of files from external websites.
For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web servers (e.g., the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading suggestions in the references section, for interested readers.
This kind of attack is also known as the dot-dot-slash attack (../), directory traversal, directory climbing, or backtracking.
During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
- (a) Input Vectors Enumeration (a systematic evaluation of each input vector)
- (b) Testing Techniques (a methodical evaluation of each attack technique used by an attacker to exploit the vulnerability)
Black Box testing and example
(a) Input Vectors Enumeration
In order to determine which part of the application is vulnerable to input validation bypassing, the tester needs to enumerate all parts of the application which accept content from the user. This also includes HTTP GET and POST queries and common options like file uploads and HTML forms.
Here are some examples of the checks to be performed at this stage:
- Are there request parameters which could be used for file-related operations?
- Are there unusual file extensions?
- Are there interesting variable names?
http://example.com/getUserProfile.jsp?item=ikki.html http://example.com/index.php?file=content http://example.com/main.cgi?home=index.htm
- Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
(b) Testing Techniques
The next stage of testing is analyzing the input validation functions present into the web application.
Using the previous example, the dynamic page called getUserProfile.jsp loads static information from a file, showing the content to users. An attacker could insert the malicious string "../../../../etc/passwd" to include the password hash file of a Linux/Unix system. Obviously, this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.
To successfully test for this flaw, the tester needs to have knowledge of the system being tested and the location of the files being requested. There is no point requesting /etc/passwd from an IIS web server.
For the cookies example, we have:
It's also possible to include files and scripts located on external website.
The following example will demonstrate how it is possible to show the source code of a CGI component, without using any path traversal chars.
The component called "main.cgi" is located in the same directory as the normal HTML static files used by the application. In some cases the tester needs to encode the requests using special characters (like the "." dot, "%00" null, ...) in order to bypass file extension controls or to prevent script execution.
Tip It's a common mistake by developers to not expect every form of encoding and therefore only do validation for basic encoded content. If at first your test string isn't successful, try another encoding scheme.
Each operating system uses different chars as path separator:
root directory: "/" directory separator: "/"
root directory: "<drive letter>:\" directory separator: "\" but also "/"
(Usually, on Windows, the directory traversal attack is limited to a single partition.)
Classic Mac OS:
root directory: "<drive letter>:" directory separator: ":"
We should take in account the following chars encoding:
- URL encoding and double URL encoding
%2e%2e%2f represents ../ %2e%2e/ represents ../ ..%2f represents ../ %2e%2e%5c represents ..\ %2e%2e\ represents ..\ ..%5c represents ..\ %252e%252e%255c represents ..\ ..%255c represents ..\ and so on.
- Unicode/UTF-8 Encoding (it only works in systems that are able to accept overlong UTF-8 sequences)
..%c0%af represents ../ ..%c1%9c represents ..\
Gray Box testing and example
When the analysis is performed with a Gray Box approach, we have to follow the same methodology as in Black Box Testing. However, since we can review the source code, it is possible to search the input vectors (stage (a) of the testing) more easily and accurately. During a source code review we can use simple tools (such as the grep command) to search for one or more common patterns within the application code: inclusion functions/methods, filesystem operations, and so on.
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ... JSP/Servlet: java.io.File(), java.io.FileReader(), ... ASP: include file, include virtual, ...
For PHP, we can use:
Using the Gray Box Testing method, it is possible to discover vulnerabilities that are usually harder to discover, or even impossible to find during a standard Black Box assessment.
Some web applications generate dynamic pages using values and parameters stored in a database. It may be possible to insert specially crafted directory traversal strings when the application adds data to the database. This kind of security problem is difficult to discover due to the fact the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.
Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to change invalid input to make it valid, avoiding warnings and errors. These functions are usually prone to security flaws.
Considering a web application with these instructions:
filename = Request.QueryString(“file”); Replace(filename, “/”,”\”); Replace(filename, “..\”,””);
Testing for the flaw is achieved by:
file=....//....//boot.ini file=....\\....\\boot.ini file= ..\..\boot.ini
- Security Risks of - http://www.schneier.com/crypto-gram-0007.html
- phpBB Attachment Mod Directory Traversal HTTP POST Injection -
- Web Proxy (Burp Suite, Paros, WebScarab)
- Enconding/Decoding tools
- String searcher "grep" - http://www.gnu.org/software/grep/