What is Directory Traversal? Understanding the Directory Attack

Directory Traversal, also known as Path Traversal, is a critical HTTP exploit that allows a threat actor to access data outside the web server's root directory. If a web application is not properly secured, a malicious user can manipulate variables to access files and folders that should be restricted.

By exploiting vulnerabilities in the application code, an attacker can step out of the intended folder structure. If successful, the server retrieves the file requested by the hacker rather than the intended web page. This grants unauthorized access to sensitive server configuration files, password hashes, or other restricted data.

How the Attack Works

A directory attack typically relies on the insufficient sanitisation of user input. Web browsers and applications often use input parameters to fetch files.

For example, a legitimate URL might look like this: https://www.leansecurity.com.au/load_image?filename=logo.png

In this scenario, the server looks for logo.png inside the standard image directory. However, operating systems generally use the "dot-dot-slash" (../) sequence to move up one level in the directory tree.

A skilled attacker might manipulate the input to traverse the file system using a relative path: https://www.leansecurity.com.au/load_image?filename=../../../etc/passwd

If the application fails to validate this input, the attack exploits the server's logic to serve the /etc/passwd file (a standard password file on Unix/Linux systems).

URL Encoding and Bypass Techniques

Attackers often use encoding to bypass basic security filters. For instance, the hex code 2e 2e represents .. (dot dot). By using URL encoding (e.g., %2e%2e%2f), attackers can trick filters that only look for the standard dot-dot-slash characters.

They may also attempt to guess the absolute path of a file (e.g., C:\Windows\win.ini) rather than climbing the directory tree step-by-step.

The Risks: From Information Disclosure to Full Compromise

The impact of this vulnerability ranges from sensitive data exposure to a complete system takeover.

• Read Arbitrary Files: Attackers can view application code, data, and credentials.

• Write Arbitrary Files: In some cases, the attacker can write to files, potentially modifying scripts to execute malicious commands.

• Remote Code Execution (RCE): If an attacker can upload a file or poison a log file and then access it via traversal, they may execute commands on the web server, leading to full compromise.

Detecting Directory Traversal Vulnerabilities

Finding these flaws manually involves educated guesswork and searching the directory tree for sensitive paths. However, for comprehensive coverage, automated tools are essential.

A professional web vulnerability scanner will crawl the entire site to identify where input validation is weak. These scanners simulate a directory attack by injecting traversal sequences into input fields to see if the server responds with sensitive data. This process helps identify not only traversal issues but also SQL injection and Cross-Site Scripting (XSS).

Prevention and Remediation

Preventing directory traversal requires a defense-in-depth approach focusing on strict access control and input validation.

1. Input Validation: Ideally, do not pass user-supplied input directly to filesystem APIs. If you must, ensure the input contains only permitted characters (allow-listing) such as alphanumeric characters, stripping out . , / , and \.

2. Use Indexes: Instead of using actual filenames in parameters (e.g., file=report.pdf), use indirect references or IDs (e.g., file_id=5) mapped to the actual files server-side.

3. Canonicalisation: Before validating, convert the file path to its canonical (simplest absolute) form. This resolves sequences like 2e 2e or ../ so you can check the actual path being requested.

4. Restrict Permissions: Ensure the web application runs with the least privileges necessary. Even if an attacker retrieves the file path, file system permissions should prevent access to critical OS files.

5. Patch Management: Ensure your web server software and operating systems are up to date with the latest security patches.

By securing directories and files through proper coding practices and regular security testing, you protect not only the server data but also the home users and clients who rely on the integrity of your application.