Directory Traversal Attack

A Directory traversal attack is a web security vulnerability that allows an attacker to gain unauthorized access to restricted files on a server. Directory traversal is also known as file path traversal and path traversal. 

User access is usually restricted by access control lists (ACL) and the root directory. ACLs are rules for filtering network traffic that define which users are given (or denied) access to system resources. Typically, an ACL table shows which users are allowed to access specific objects, such as directories or files on the system. Every object has a security property that links it to its ACL. The ACL contains information for every user with the privileges to access the system. The root directly also places boundaries upon the users. In Unix systems, the root directory is the uppermost directory in a file hierarchy. It is the root from which the branches extend. User access is limited to the root directory – so users cannot access directories or files outside the root directory.

A directory traversal attack directly results from exploiting a directory traversal vulnerability. Threat actors often use trial and error to find paths to restricted files on a web server. Perhaps they can search the directory tree and then execute this type of attack on a poorly protected server. In terms of the resources and tools required, threat actors don’t need much. They need information about the location of the directories, an understanding of hypertext transfer protocol, and access to any web browser!

Directory traversal attacks generally fall into two broad categories. First, this vulnerability occurs when user browser input is not adequately validated. This vulnerability can also exist in application code on the web server or in a web server software file. 

It is common to find directory traversal attacks that target direct traversal vulnerabilities in the web server. It is also common to find those that target directory traversal vulnerabilities within application code. Regardless of the attack category, directory traversal can be crafted using any number of programming languages, including Apache, ColdFusion, Perl, Python, PHP, and others. In many programming languages, the injection of a null byte enables an attacker to shorten a generated filename to widen the scope of an attack. For example, the software may add “.txt” to any path name, limiting a cyberattacker to text files, but a null injection can easily remove this restriction.

Directory traversal vulnerabilities within web servers are often used to execute specific files. The technique and procedures for this attack involve sending specific URLs to the web server containing targeted file names. This particular technique for directory traversal is easy for attackers to execute when adequate preventative procedures are not in place. File operations generally take place in a restricted directory. Attackers can use special characters to escape outside the restricted location to access files and directories elsewhere within the system. The “../”sequence is generally interpreted as the parent directory of the current location. Absolute path names may be used to access unexpected files.

Attackers exploit the vulnerabilities within application code by sending specific URLs to the web server. These URLs request that the server return identified and named files to the application. Initially, the attacker must identify a URL that causes the application to retrieve a file directly from the web server. Once this has been determined, the URL string can be modified to add the name of the file they want to access. This probing is a trial and error process, but given enough time,  most threat actors successfully determine the correct URL string.

There are essential steps that SecOPS teams can take to prevent or reduce the probability of a successful directory traversal attack. Critical best practice requires that your programmers have specific guidelines that they must validate user input received by browsers. This sort of input validation will restrict the user of dangerous commands like SQL injection. Filtering can also limit or block some user input, such as the commands and escape codes, that might be related to malicious activity. You can also stop directory traversal by not allowing applications to read files dynamically. Instead, the application validates input by referencing an “allow list” of files that can be included. Web application security that filters using path names and file extensions allow attackers to trick the filtering process by manipulating characters and the sequences they use.

Another best practice for prevention is to patch and update all software regularly. We hear this all the time, and it applies to most vulnerabilities! Most patches today contain critical security fixes. Once these are issued, attackers know they can target vulnerabilities associated with these fixes as many will not have been installed, sometimes for many months. 

SecOPS teams should consider attack input vector enumeration. Input vector enumeration testing techniques systematically evaluate the methods used by an attacker to exploit the vulnerability successfully. SecOPS teams can also look for patterns in the web application’s URL structure to identify directory traversal risks. 

The use of automated tools and regular penetration testing is also highly recommended. Automated tools can check for traversal vulnerabilities. These tools may be static (check for vulnerabilities when the code is not running) or dynamic (check the code while the application is running). Penetration takes the skill of the testing to the highest levels. Penetration testing can help you rapidly find and assess weaknesses within your applications and systems.

In the final analysis, it is critical to ensure that only what is legitimately submitted by users goes to the server. Input should be validated by comparison against a list of permitted input values. Sysadmins should also use external storage so that directories with sensitive material are kept isolated from publicly accessible information directories. Also, consider a content management system that would enable your users to upload large volumes of content more safely. These users will rarely have access to the actual URL paths of the documents. Indexing is another technique you can use to add a layer of safety instead of using raw file names in URLs. Indexes further separate the threat actor and the files.  The index does not give the threat actor direct access to the file.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.