In which cases can a path traversal vulnerability occur? How to detect this flaw and protect yourself from it?
This is what we will detail in this article.
A path traversal or directory traversal attack aims at accessing and reading files stored outside the tree structure exposed directly by the web service.
It consists in modifying a request’s parameters to navigate in the tree structure. The goal of the attacker is to browse the directories to reach sensitive files to which access is normally not allowed (configuration files, source code…)
In some situations, the attacker may even have access to unauthorised functionality, such as writing files on the server. This can lead them to take control of the server and the vulnerability becomes then an RCE.
Most web applications use locally stored resources (images, scripts, text files…) to perform their tasks. Sometimes, these resources are embedded in other pages via parameters that a user can manipulate.
The path traversal flaw occurs when the user parameters aren’t sanitised and/or there is a lack of access control to the resources.
It’s then possible for an attacker to modify the parameters of the request to ask to return other resources.
The impact of this flaw is generally critical. Indeed, depending on the context, the attacker might be able:
To find a path traversal flaw, you need to rigorously list all the places where users can send data.
The OWASP Testing Guide details points to look for:
Once the points have been identified, we need first to test different techniques to exploit the vulnerability. You can then try techniques to bypass the controls in place.
The most common method is to check if it’s possible to go up to other directories:
These different techniques may need to be combined, as some protections may be in place while others aren’t.
You can rely on PayloadsAllTheThings, which lists a wide variety of payloads.
A second possibility is to include external resources directly in the call parameters, in cookies or other vectors.
During the web application penetration tests we carry out, we regularly encounter this flaw.
Some of the vulnerabilities discovered are classic situations, for example the parameter used in a include function isn’t protected. Or it’s possible to manipulate a parameter passed to a curl function in which it’s permitted to use file://.
Other flaws are more hidden. For instance, we tested an application that had a pdf generator. The generator included the user’s personal data in the pdf.
To exploit the vulnerability, we modified the user’s “address” field by putting a <iframe src='file:///etc/passwd'></iframe>. The generator interpreted the HTML. The problem was that the library was allowed to retrieve files via file://.
When generating the pdf, the iframe was interpreted and would display the resources we had requested. The impact of a flaw like this is critical.
To avoid these flaws, several measures should be implemented:
In the case of our pdf generator example, the remediation is that HTML is not interpreted and file: not allowed. Furthermore, it should not be possible to load local files in iframes, nor local web resources (SSRF).
