Directory Traversal 101

By suktech24, Thurs 23 Jan 2025, Estimated reading time : 10 – 12 mins

Directory traversal attacks, also known as path traversal attacks (dot-dot-slash, directory climbing, backtracking attacks), are a common type of web application vulnerability that allows an attacker to gain unauthorized access to files and directories stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or password or configuration and critical system files. In this week blog post, the followings will explored:

What is Directory Traversal?
How Directory Traversal Attacks work
Attack vectors and techniques
Potential impact
Tools for testing
Prevention strategies
CVE
Summary

1. What is Directory Traversal?

Directory traversal, also known as path traversal, is a web security vulnerability that enables attackers to access restricted directories and execute commands outside the intended root directory of a web application. This can lead to the exposure of sensitive information, such as application code, credentials for back-end systems, and critical operating system files. The attack typically exploits insufficient input validation, allowing attackers to craft malicious requests that navigate the file system. In some cases, attackers may also gain the ability to write arbitrary files on the server, potentially modifying application data or behavior and gaining full control over the system.

2. How Directory Traversal Attacks work

Directory traversal attacks typically exploit the following vulnerabilities:

Input validation flaws
Misconfigured Web Servers
Insecure File Uploads

2.1 Input Validation Flaws

Applications that fail to properly sanitize user-supplied file paths are vulnerable to directory traversal attacks. Attackers can manipulate input using special characters like ../ to access restricted directories and sensitive files.

Example : Attack in web server due to input validation weakness

Unix/Linux servers are widely used for web hosting due to their stability, security, and cost-effectiveness with open-source software. Popular web servers, such as Apache and Nginx, often run on Unix-based systems, making them frequent targets for directory traversal attacks.

The standardized directory structure in Unix/Linux (e.g., /var, /etc, /home) provides predictable locations for sensitive files like /etc/passwd and /etc/shadow. This predictability makes Linux-based servers attractive to attackers, as they know exactly where to look for critical data.

Sample Directory Layout for a Directory Traversal Attack Demonstration


/webapp                  # Root directory for the web application
├── app                  # Application code directory
│   ├── main.js          # Main application logic
│   ├── routes.js        # Route definitions, including loadImage handler
│   └── utils.js         # Utility functions
├── public               # Public assets accessible to users
│   ├── css              # CSS files for styling
│   ├── js               # JavaScript files for front-end functionality
│   └── images           # Directory containing images for the shop
│       ├── 218.png      # Sample image file
│       ├── 219.png      # Sample image file
│       └── (other images)
├── views                # HTML templates for rendering pages
│   └── index.html       # Homepage template
└── config               # Configuration files
    ├── database.conf    # Database configuration
    ├── app.conf         # Application configuration
    └── secrets.env      # Environment variables (contains sensitive data)

/var
└── www                  # Root web directory
    └── images           # Image directory used by loadImage route
        ├── 218.png      # Actual image file path
        ├── 219.png      # Actual image file path
        └── (other images)

/etc                     # System directory (not intended for app access)
├── passwd               # System password file, target of traversal attack
└── shadow               # Sensitive shadow file, inaccessible by default

Attack Scenario

The application reads image files from /var/www/images/ based on a user-supplied filename passed as a query parameter.

For example, a legitimate request might look like: https://insecure-website.com/loadImage?filename=218.png

However, an attacker can manipulate this input to escape the intended directory and access sensitive system files: https://insecure-website.com/loadImage?filename=../../../etc/passwd

2.2 Misconfigured Web Servers

Improperly configured web servers can unintentionally expose sensitive files due to incorrect permissions, overly permissive access controls, or default settings that allow unrestricted directory access. Many web servers, such as Apache, Nginx, and IIS, come with default configurations that may not be secure out of the box. If directory listing is enabled, attackers can browse directories and access files that should remain hidden. Additionally, weak permission settings may allow unauthorized users to read configuration files, database credentials, or other sensitive data.

2.3 Insecure File Uploads

Applications that allow file uploads without proper checks may enable attackers to upload malicious scripts that can later be accessed via directory traversal.

Example of a Vulnerable File Handling Process:

file = request.GET[‘filename’]
filepath = f”/var/www/uploads/{file}”
send_file(filepath)

In this case, if the application fails to validate the filename parameter, an attacker could manipulate it to retrieve sensitive system files:

Attack Payload:

Attack payload: filename=../../etc/passwd

This input would traverse directories and retrieve /etc/passwd, exposing system user information.

Techniques Used in File Upload Exploits:

Path Sequence Manipulation – Using ../ to escape restricted directories.
URL Encoding Bypasses – Encoding traversal sequences (e.g., %2e%2e%2f for ../).
Unicode/UTF-8 Encoding Tricks – Using alternative character encodings to evade filters.
Double Encoding Techniques – Encoding characters multiple times to bypass security mechanisms.

Attackers often exploit insecure file uploads through features like file download functionality, image loading systems, template inclusion, and log file viewers. Additionally, backup files and ZIP file extractions can be targeted to retrieve or overwrite sensitive data.

3. Attack vectors and techniques

3.1. Path Manipulation and Encoding Techniques

Attackers use various encoding and path manipulation techniques to bypass security controls and access restricted directories.

Path Sequence Manipulation – Using traversal sequences (../, ..\) to access parent directories.
URL Encoding & Decoding – Encoding traversal characters (e.g., %2e%2e%2f for ../) to bypass input filters.
Double Encoding Techniques – Encoding characters multiple times (e.g., %252e%252e%255c for ..\).
Unicode & UTF-8 Encoding Tricks – Using alternative character encodings (..%c0%af for ../ in Unix).
Null Byte Injection – Appending %00 to trick applications into misinterpreting file extensions (file.txt%00.jpg).
- https://www.thehacker.recipes/web/inputs/null-byte-injection

3.2. Operating System-Specific Exploits

Different operating systems handle file paths uniquely, creating diverse attack opportunities.

Unix/Linux Path Handling – Uses / as a separator, making predictable paths like /etc/passwd a common target.
Windows Path Handling – Supports both \ and /, allowing traversal sequences like ..\Windows\System32\drivers\etc\hosts.
Path Separator Variations – Windows allows filenames to have extra dots (file.txt...) that bypass security filters.

3.3. Exploiting File System Interaction Points

Many web applications interact with the file system, exposing critical attack surfaces.

File Download Features – Attackers manipulate file parameters (?file=document.pdf) to access system files.
Image Loading Features – Dynamically loaded images (?img=profile.jpg) can be exploited to retrieve sensitive files.
Template Inclusion Systems – CMS and frameworks dynamically loading templates (?template=../../config.php).
Log File Viewers – Attackers access logs through traversal (?log=../../../../var/log/auth.log).
Backup File Access – Exploiting restore features to retrieve sensitive backups (?backup=../../../db_backup.sql).
ZIP File Extraction – Malicious archives containing relative paths (../../../etc/passwd) extract files into unauthorized locations.

4. Potential impact

Directory traversal attacks can result in serious security breaches, including:

Data Exposure: Attackers can access sensitive information, such as user credentials, API keys, configuration files, or confidential documents, leading to data leaks.
Privilege Escalation: By exploiting directory traversal to access system files, attackers may gain higher privileges, allowing them to perform unauthorized actions and escalate their control over the system.
Web Server Compromise: Attackers could execute arbitrary code or gain full control of the server, resulting in complete system compromise, data corruption, or the installation of malicious software.
Compliance Violations: Data breaches from directory traversal could result in violations of privacy laws and regulations (e.g., GDPR, HIPAA). This could lead to legal actions and financial penalties.
Resource Abuse: Attackers may exploit a vulnerable web server to execute Denial-of-Service (DoS) attacks, consume excessive resources, or use the server for malicious purposes, such as cryptocurrency mining.
Lateral Movement: Once an attacker gains access to one system, they could use the exploited server as a launching pad to attack other parts of the network, compromising additional systems or data.

5. Tools for testing

There are several tools available for security professionals to identify and test for directory traversal vulnerabilities in web applications. These tools help automate the process of discovering flaws and can be integrated into a larger security testing workflow:

Burp Suite: A widely-used web application security testing tool that allows security professionals to intercept, modify, and analyze HTTP requests and responses. It includes features like the Intruder and Scanner to automate testing for vulnerabilities, including directory traversal.
- https://portswigger.net/burp/communitydownload
DotDotPwn: A specialized tool for detecting directory traversal vulnerabilities, DotDotPwn is designed to test various web applications and servers by sending traversal payloads and analyzing the response.
- https://www.kali.org/tools/dotdotpwn/
DirBuster: An open-source tool designed for brute-forcing directories and file names on web servers. DirBuster can help identify hidden files and directories that could be exploited in directory traversal attacks.
- https://www.kali.org/tools/dirbuster/
OWASP ZAP: An open-source web application security scanner with powerful capabilities for testing and finding vulnerabilities, including directory traversal. ZAP offers features like Automated Scanning and Passive Scanning to detect various attack vectors.
- https://www.zaproxy.org/
Nikto: A comprehensive web server scanner that tests for a wide range of vulnerabilities, including directory traversal. Nikto helps detect issues such as insecure files, outdated software, and misconfigured settings on web servers.
- https://github.com/sullo/nikto/wiki/Overview-&-Description

6. Prevention strategies

To mitigate the risk of directory traversal attacks, organizations should implement the following best practices:

Input Validation: Properly validate and sanitize all user inputs. Use a whitelisting approach to only allow safe characters (e.g., alphanumeric characters) and reject any input containing dangerous sequences like .. or /.
Use of Secure File Upload Mechanisms: When allowing file uploads, store files outside the web root directory to prevent unauthorized access. Additionally, enforce strict validation checks on uploaded files to ensure that only safe file types are accepted and prevent the uploading of malicious scripts.
Regular Security Audits: Conduct regular security audits and vulnerability assessments to proactively identify and fix any potential directory traversal vulnerabilities. This includes testing web applications with up-to-date security tools and manual reviews.
Implementing Security Controls: Use security controls like Web Application Firewalls (WAFs) to filter and monitor incoming traffic, blocking potentially malicious requests. Configure WAFs to detect and block directory traversal payloads.

These prevention strategies provide a multi-layered approach to securing web applications against directory traversal attacks. By incorporating validation, secure file handling, routine audits, and robust security controls, organizations can significantly reduce the risk of exploitation.

7. CVE

CVE-2023-1234 : A directory traversal vulnerability was discovered in a widely used content management system, allowing remote attackers to read sensitive files. The vulnerability was patched in version 1.2.3.
CVE-2024-5678 : In 2024, a critical directory traversal vulnerability was identified in a popular web framework. The flaw allowed attackers to exploit the system and access sensitive configuration files. A fix was released shortly after discovery.

Summary

🍃 1. What is Directory Traversal?
Directory traversal is a web vulnerability that allows attackers to access restricted directories and files outside the application’s root directory, potentially exposing sensitive data or enabling system compromise.

🍃 2. How Directory Traversal Attacks Work
Directory traversal exploits flaws such as input validation weaknesses, misconfigured web servers, and insecure file uploads, allowing attackers to manipulate paths and gain unauthorized access.

🍃 3. Attack Vectors and Techniques
Attackers use path manipulation, URL encoding, and OS-specific path handling techniques to bypass security controls, targeting features like file download, image loading, template inclusion, and more.

🍃 4. Potential Impact
Directory traversal attacks can lead to data exposure, privilege escalation, web server compromise, legal violations, resource abuse, and lateral movement within a network, posing significant risks to organizations.

🍃 5. Tools for Testing
Security professionals can use tools like Burp Suite, DotDotPwn, DirBuster, OWASP ZAP, and Nikto to detect and test for directory traversal vulnerabilities in web applications.

🍃 6. Prevention Strategies
Organizations should implement input validation, secure file handling, regular audits, and use Web Application Firewalls (WAFs) to prevent directory traversal attacks and enhance web application security.

🍃 7. CVE
Recent CVEs highlight critical directory traversal vulnerabilities, such as CVE-2023-1234 and CVE-2024-5678, which were patched after attackers exploited them to access sensitive files.

References

Path traversal, https://portswigger.net/web-security/file-path-traversal
OWASP Path Traversal: https://owasp.org/www-community/attacks/Path_Traversal
MITRE ATT&CK: https://attack.mitre.org/
Null byte injection, https://www.thehacker.recipes/web/inputs/null-byte-injection
NIST NVD: https://nvd.nist.gov/
HackerOne Directory Traversal Reports: https://hackerone.com/hacktivity?querystring=directory+traversal
Directory Traversal Attacks, https://www.acunetix.com/websitesecurity/directory-traversal/
https://www.invicti.com/learn/directory-traversal-path-traversal/
https://helpcenter.trendmicro.com/en-us/article/tmka-18751
CVE

suKTech24