What is path traversal?

path traversal

Path traversal or directory traversal is a vulnerability where an attacker can request arbitrary files from a server by breaking out of a directory. Path traversal falls under the category “3: Injection” of the OWASP top 10

How does path traversal work?

Path traversal occurs when a user can request a file on the server and the server does not check the user’s input. For example, take the example below:

https://example.com/get_file.php?file=public/marketing.pdf

We see that the PHP file retrieves a PDF from the public folder. But what if we fill in another folder?

https://example.com/get_file.php?file=private/secret.txt

Without proper access control, the file “secret.txt” will now be downloaded. An attacker must know here that the file “secret.txt” exists and that it is present in the folder “private”. More on this later. Since we have now switched directories, we call this attack “directory traversal”.

In the example above, the directory is in the url. It is also possible to go up with a trick. The command to go up one folder is “../”. When the program cannot go any higher, the command will be ignored. On Linux, the /etc/passwd file is always present and readable. It used to contain passwords, but nowadays it’s more of a list of users. If we want to request this file, we can do the following:

https://example.com/get_file.php?file=../../../../../../../../etc/passwd

Although we have no idea how far up to go, we add ../ quite a few times. Maybe it’s too much, but that doesn’t matter. We should now be able to see the contents of /etc/passwd.

How does a hacker find files?

Some files are always in the same location, such as the passwd file. Others are often in the same location. For example, if we want to get the contents of get_file.php, chances are it’s in the /var/www/ or /var/www/html directory. However, this is not necessary, so it is a matter of guessing and trying commonly used paths. In the above example, the folder was named “private”. A hacker could find this out by looking at all the source code and finding references to the folder. An attacker can also try to request the access log. This logs which files have been requested, also by other users.

Default locations:
C:windowswin.ini
C:windowssystem.ini
C:windowsiis.log
C:windowsSystem32Driversetchosts
C:inetpubindex.asp
/etc/passwd
/etc/shadow
/etc/crontab
var/www/logs/access_log
var/www/logs/access.log
/etc/httpd/logs/access.log
var/log/apache/access_log
var/log/apache2/access_log
/var/www/index.php
/var/www/html/index.php