What is Directory Traversal in Cyber Security?

What is a Path Traversal Vulnerability?

  • Accessing sensitive files such as credentials and source code files
  • Manipulation of application data and functionality through arbitrary code execution
  • Impersonation of privileged users such as administrators to gain their access rights

Directory Traversal Attack Examples

Directory Traversal in Python

<img src=”/getImage?
filename=darwin_sample_image.jpg” />
https://darwin-vulnerable-site/getImage?
filename=../../../etc/passwd

Path Traversal in Java

<form action="FileUploadServlet" method="post" enctype="multipart/form-data"> 
Choose a file to upload:
<input type="file" name="darwin-filename"/>
<br/>
<input type="submit" name="submit" value="Submit"/>
</form>
public class FileUploadServlet extends HttpServlet {...
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {response.setContentType("text/html");PrintWriter out = response.getWriter();String contentType = request.getContentType();
int ind = contentType.indexOf("boundary=");String boundary = contentType.substring(ind+9);
String pLine = new String();String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value
if (contentType != null && contentType.indexOf("multipart/form-data") != -1) {// extract the filename from the Http headerBufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));...pLine = br.readLine();String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));...
try {BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));for (String line; (line=br.readLine())!=null; ) {if (line.indexOf(boundary) == -1) {bw.write(line);bw.newLine();bw.flush();}} //end of for loopbw.close();} catch (IOException ex) {...}// output successful upload response HTML page}// output unsuccessful upload response HTML pageelse{...}}...}

Directory Traversal in PHP

$page = $_GET;  
$filename = "/pages/$page";
$file\_handler = fopen($filename, "r");
$contents = fread($file_handler, filesize($file));
fclose($file_handler);
echo $contents;
view.php?page=about
view.php?page=../admin/login.php

Path Traversal Vulnerability in Apache HTTP Server

<Directory />
Require all granted
</Directory>

Approaches to Prevent Directory Traversal Attacks

Path Traversal Vulnerability Fix In Java

if (VALID_PATHS.contains(normalized_path)) {
File file = new File(BASE_PATH, normalized_path);
if (file.getCanonicalFile().toPath().startsWith(Paths.get(BASE_PATH)) {
String content = new String(Files.readAllBytes(file.toPath()));
return content;
} else {
return "Access Error";
}
} else {
return "Access Error";
}

Path Traversal Vulnerability Fix in Python

  • Using the latest web frameworks and software versions that have path traversal prevention mechanisms to help detect alternative character representations
  • Using the os.path.repath function to change the actual filenames and requested paths into relative file paths

Path Traversal Vulnerability Fix in C#

  • Using the GetInvalidFileNameChars() path class method to identify invalid characters in the specified request parameter
  • Using indirect object references to map resource location and avoid supplying user input to filesystem APIs
  • Combining the absolute file path check with sanitization of user-supplied path names and file extension validation

FAQs

What is the difference between file inclusion attacks and directory traversal?

What are arbitrary files?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store