The software uses the external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Many file operations are intended to take place within a restricted directory. By using special elements such as “..” and “/” separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the “../” sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as “/user/local/bin”, which may also be useful in accessing unexpected files. This is referred to as absolute path traversal.
– Are there request parameters which could be used for file-related operations, unusual file extensions, Interesting variable names and if it possible to identify cookies used by the web application for the dynamic generation of pages.
– A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.
– it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.
– File System Function Injection, Content-Based, Using Slashes and URL Encoding Combined to Bypass Validation Logic, Manipulating Input to File System Calls, Using Escaped Slashes in Alternate Encoding, and Relative Path Traversal.
– Configure the access control correctly, Enforce principle of least privilege, Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.
– Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.
– Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to the server host.
– Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if an attacker gains some limited access to commands.
– Implementation: Perform input validation for all remote content, including remote and user-generated content.
– Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to the client is sanitized against an acceptable content specification — whitelisting approach.
- Path Traversal Fuzz Strings (from WFuzz Too)
- Burp Suite
- OWASP ZAP