This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Testing for Directory Traversal"

Jump to: navigation, search
(Description of the Issue)
(27 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Template:OWASP Testing Guide v2}}
#REDIRECT [[Testing Directory traversal/file include (OTG-AUTHZ-001)]]
== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.
Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated. 
In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites. 
For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.
This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.
During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages: 
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability).
== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' <br>
'''Result Expected:'''<br>
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:'''<br>
'''Result Expected:'''<br>
== References ==
{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Latest revision as of 15:44, 14 April 2015