This is the first installment in a series on Web Application Vulnerability Basics.
What Is a Path Traversal Attack?
Path traversal, also known as directory traversal and backtracking, is an exploit that allows an attacker to access files on a web server that they’re not authorized to view. Using path traversal, an attacker can read privileged files within the web root that aren’t normally served through the browser (e.g., configuration files and source code). Additionally, an attacker can use path traversal to read sensitive files outside the web root.
A path traversal attack can expose credentials, application code and data, configurations, and other sensitive information to an attacker. This information can lead to a full compromise of the web server or web application and can serve as a pivot point into the rest of the network.
How Does Path Traversal Work?
A path traversal attack relies on unvalidated and unfiltered user input for file operations. This can include URL paths, text fields, API queries, and anywhere else that employs user input to reference a file. Once a potentially vulnerable field is located, an attacker will attempt to escape the working directory by using a parent reference in the file path, such as “../” for a UNIX system and “..\” for a Windows system. An attacker may utilize text encoding to get around filtering to execute a traversal attack.
If the attacker is successful in escaping the working directory, they can chain multiple parent references together to jump further up the file system. For example, if the working directory is in “/var/www/html”, an attacker could chain three parent references together (“../../../”) to get to the root directory. Generally, an attacker will attempt to obtain a globally readable file to see if path traversal is possible, such as /etc/passwd on Linux or C:\Windows\win.ini on Windows. In our example, this would look like “../../../etc/passwd”.
Note: Since the exploit runs under the context of the user that is serving the website, file permissions for the user apply to a path traversal attack. If the user running the web app is unauthorized to read a file, a path traversal attack will not be able to access it either.
Path Traversal Mitigation Techniques
As a rule, avoid using user input for file system calls wherever possible to minimize the opportunity for a path traversal attack. If it’s necessary to use user input for file system calls, there are a few mitigation techniques that you can use:
Block any input containing “.” or “..” sequences, as well as any encoded variants such as “%2e%2e”.
Validate user input before any processing.
Evaluate the canonical path and verify that it’s in the expected directory.
There are also mitigation techniques that you can implement to reduce the impact of a successful path traversal attack. Restrict permissions for the web application following the principle of least privilege to decrease the exposure of a successful path traversal attack. In addition, the directory used to store files that are accessed using user-controlled data can be located on a separate logical volume than sensitive application and operating system files. Files that are on a separate logical volume cannot be accessed using a path traversal attack. Implement this on a Unix-based system by using a chrooted file system, and by mounting the base directory as a new logical drive on a Windows system.
Attackers can use path traversal attacks to find and exfiltrate sensitive data such as application source code, user PII, credentials, and more. Take proper precautions when handling user input for file system calls and minimize the use of user input for file system calls wherever possible. Vulnerability to directory traversal attacks should be regularly assessed and mitigated when developing and deploying a web application.
For more on web application vulnerability basics, check out these blog posts: