{"id":47616,"date":"2022-09-26T14:46:51","date_gmt":"2022-09-26T12:46:51","guid":{"rendered":"https:\/\/cyberant.com\/wat-is-path-traversal\/"},"modified":"2023-04-12T16:01:37","modified_gmt":"2023-04-12T14:01:37","slug":"what-is-path-traversal","status":"publish","type":"post","link":"https:\/\/cyberant.com\/en\/what-is-path-traversal\/","title":{"rendered":"What is path traversal?"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8irfxwk-d81b6f882fea88d225a42a97c949be29\">\n#top .av_textblock_section.av-l8irfxwk-d81b6f882fea88d225a42a97c949be29 .avia_textblock{\nfont-size:40px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8irfxwk-d81b6f882fea88d225a42a97c949be29 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h1 class=\"h2 entry-title\">What is path traversal?<\/h1>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-nqt16y-bf01da7399be11f838db2ef9693a2cb3\">\n#top .hr.hr-invisible.av-nqt16y-bf01da7399be11f838db2ef9693a2cb3{\nheight:30px;\n}\n<\/style>\n<div  class='hr av-nqt16y-bf01da7399be11f838db2ef9693a2cb3 hr-invisible  avia-builder-el-1  el_after_av_textblock  el_before_av_textblock '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8irgeyu-22dfcacb83ab024288d9f48f9b6db954\">\n#top .av_textblock_section.av-l8irgeyu-22dfcacb83ab024288d9f48f9b6db954 .avia_textblock{\nfont-size:16px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8irgeyu-22dfcacb83ab024288d9f48f9b6db954 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h3><img decoding=\"async\" class=\"attachment-large size-large wp-post-image webpexpress-processed aligncenter\" style=\"font-size: 16px; margin: 0px;\" src=\"https:\/\/cyberant.com\/wp-content\/uploads\/2022\/08\/vias-gcb5873043_1280-1024x768.jpg\" sizes=\"(max-width: 640px) 100vw, 640px\" srcset=\"https:\/\/cyberant.com\/wp-content\/uploads\/2022\/08\/vias-gcb5873043_1280-1024x768.jpg 1024w, https:\/\/cyberant.com\/wp-content\/uploads\/2022\/08\/vias-gcb5873043_1280-300x225.jpg 300w, https:\/\/cyberant.com\/wp-content\/uploads\/2022\/08\/vias-gcb5873043_1280-768x576.jpg 768w, https:\/\/cyberant.com\/wp-content\/uploads\/2022\/08\/vias-gcb5873043_1280-400x300.jpg 400w, https:\/\/cyberant.com\/wp-content\/uploads\/2022\/08\/vias-gcb5873043_1280.jpg 1280w\" alt=\"path traversal\" width=\"640\" height=\"480\" \/><\/h3>\n<p><span class=\"lead\">Path traversal or directory traversal is a vulnerability where an attacker can request arbitrary files from a server by breaking out of a directory. Path traversal falls under the category &#8220;3: Injection&#8221; of the <a href=\"https:\/\/cyberant.com\/en\/knowledge-base-item\/owasp-top-10\/\">OWASP top 10<\/a><\/span><\/p>\n<h3>How does path traversal work?<\/h3>\n<p>Path traversal occurs when a user can request a file on the server and the server does not check the user&#8217;s input. For example, take the example below:<\/p>\n<p><code>https:\/\/example.com\/get_file.php?file=public\/marketing.pdf<\/code><\/p>\n<p>We see that the PHP file retrieves a PDF from the public folder. But what if we fill in another folder?<\/p>\n<p><code>https:\/\/example.com\/get_file.php?file=private\/secret.txt<\/code><\/p>\n<p>Without proper access control, the file \u201csecret.txt\u201d will now be downloaded. An attacker must know here that the file \u201csecret.txt\u201d exists and that it is present in the folder \u201cprivate\u201d. More on this later. Since we have now switched directories, we call this attack \u201cdirectory traversal\u201d.<\/p>\n<p>In the example above, the directory is in the url. It is also possible to go up with a trick. The command to go up one folder is \u201c..\/\u201d. When the program cannot go any higher, the command will be ignored. On Linux, the \/etc\/passwd file is always present and readable. It used to contain passwords, but nowadays it&#8217;s more of a list of users. If we want to request this file, we can do the following:<\/p>\n<p><code>https:\/\/example.com\/get_file.php?file=..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/code><\/p>\n<p>Although we have no idea how far up to go, we add ..\/ quite a few times. Maybe it&#8217;s too much, but that doesn&#8217;t matter. We should now be able to see the contents of \/etc\/passwd.<\/p>\n<h3>How does a hacker find files?<\/h3>\n<p>Some files are always in the same location, such as the passwd file. Others are often in the same location. For example, if we want to get the contents of get_file.php, chances are it&#8217;s in the \/var\/www\/ or \/var\/www\/html directory. However, this is not necessary, so it is a matter of guessing and trying commonly used paths. In the above example, the folder was named \u201cprivate\u201d. A hacker could find this out by looking at all the source code and finding references to the folder. An attacker can also try to request the access log. This logs which files have been requested, also by other users.<\/p>\n<p><strong>Default locations:<\/strong><br \/>\n<code>C:\\windows\\win.ini<br \/>\nC:\\windows\\system.ini<br \/>\nC:\\windows\\iis.log<br \/>\nC:\\windows\\System32\\Drivers\\etc\\hosts<br \/>\nC:\\inetpub\\index.asp<br \/>\n\/etc\/passwd<br \/>\n\/etc\/shadow<br \/>\n\/etc\/crontab<br \/>\nvar\/www\/logs\/access_log<br \/>\nvar\/www\/logs\/access.log<br \/>\n\/etc\/httpd\/logs\/access.log<br \/>\nvar\/log\/apache\/access_log<br \/>\nvar\/log\/apache2\/access_log<br \/>\n\/var\/www\/index.php<br \/>\n\/var\/www\/html\/index.php<\/code><\/p>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":11,"featured_media":46122,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[195,216],"tags":[182,183,197,190,191,185,192,204,194],"class_list":["post-47616","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacken","category-knowledge-base","tag-cyber-security-en","tag-cyberaanval-en","tag-cybercriminelen-en","tag-datalekken-en","tag-etisch-hacker-en","tag-hacker-en","tag-owasp-en","tag-path-traversal-en","tag-pentest-en"],"_links":{"self":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/comments?post=47616"}],"version-history":[{"count":0,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47616\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media\/46122"}],"wp:attachment":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media?parent=47616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/categories?post=47616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/tags?post=47616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}