Imagine being at a friend’s house, your friend says you can have any food in the house except for the ice cream. Your friend’s family keeps the ice cream in a locked freezer; but, your friend tells you they keep their keys in a drawer. You figure you could access the drawer, get the key, and finally gain access to that delectable ice cream. This basic idea is how directory traversal attacks work on web servers.
When we visit a website, we gain access to the root directory of the web server. On windows web servers the root directory is, “C:\Inetpub\wwwroot”. While in the root directory you can access any web content in the directory.
Think about having access to any food in your friend’s house. But, you cannot access any content above \wwwroot. To keep with the same analogy, imagine anything above \wwwroot is the forbidden ice cream.
Instead of using locks, web servers use access controls like NTFS to keep attackers out of the rest of the C: drive. where attackers could access personal documents, windows system files, hashed passwords, and more. But, weak permissions can give attackers an easy route into that very content.
This kind of vulnerability is prevalent in older web servers or web application code. Which gives an attacker a detailed map of the directory by viewing the URL. Although this requires older technologies, directory traversal attacks are still frighteningly common.Let us say we have a website that hosts a list of different ice creams and details about the ingredients.
A user would click on an Ice cream name and download a document that details the ingredients. Let us say the URL is “icedingredients.com/IceCreams”
A user clicks on strawberry ice cream to download the ingredients document. The URL then changes to “icedingredients.com/IceCreams=strawberry.docx”. You can tell the vulnerability may be present because the exact file name is in the URL. Making it easy for attackers to spot.
An attacker who notices this can use malformed input in replace of the file name, to climb out of the root directory.
The use of “../” tells the web server to climb one step back out of the directory it is currently in. With enough trial and error, an attacker can figure out where they are in the file system. With basic file system knowledge, attackers can traverse around if permissions are weak. Giving them access to files they are not supposed to get.
- You can use a web vulnerability scanner to scan your web server if you believe you may be at risk.
- Ensure you use tight access control lists to limit where attackers can reach.
- Make sure your web server is up to date.
- Filter input to only allow characters for normal user input.
- You can separate your documents on a different server.
Directory traversal attacks allow attackers to access files and data outside of the web servers root directory. Attackers can use malformed URL input like “../” to climb out of the directory to traverse around and execute commands. The exploit is prevalent in cases where the web server has weak access controls.
Thank you for reading, leave a comment if you have any questions, concerns, or ideas.
“Directory Structure“: CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 2015