Directory Traversal

What is a Directory Traversal attack?

One of the critical functions of a secure Web server is controlling access to restricted directories. HTTP exploit attacks circumvent Web server security and use malicious software to access the content of restricted directories. Directory Traversal is one such HTTP vulnerability.

The goal of a Directory Traversal attack is to execute commands that will access files that are intended to be restricted. This type of attack uses HTTP to bypass Web server and Web application security. It is enabled by insufficient and missing security measures in servers and websites.

Web servers use two types of mechanisms to prevent access unauthorized access to restricted directories and files:

The Root Directory – Limits user access to a specific directory (known as the root directory) and its subdirectories.

Directory Traversal

Directory Traversal

Access Controls Lists (ACLs) – Limits access to specific files within the root directory. Only users who are listed in the ACL for a file can access that file.

The root directory mechanism is an effective means for a Web server to prevent unauthorized users from executing files (such as cmd.exe on Windows) or accessing secure data (such as the ‘passwd’ file which is used to store passwords on Linux). Unfortunately, some Web servers have vulnerabilities in their root directory mechanism and use of ACLs.

Exploiting Directory Traversal Vulnerabilities

When Directory Traversal vulnerabilities exist, an attacker is able to access directories above the root directory. Once these directories are accessed, commands can be executed on the Web server and secure data can be copied or modified. The security of the Web server is severely compromised.

Directory traversal vulnerabilities can also be found in Web applications that run on Web servers. If an application developer fails to provide code to validate browser input, hackers can experiment with different input strings and access directories above the root.

Web Application Attack Example

For example, consider a Web application that processes an input field on a web page. The application takes character string from the input field and forms a URL that displays a dynamic page. The URL might look like this:

http://www.mycalendar.com/mydata.asp?item=tuesday.html

A hacker will notice that the parameter on the right side of ‘=’ is a web page file and guess that ‘mydata.asp’ is a script that can retrieve files. This URL is then copied by the hacker and edited. The hacker then inputs this new URL into the browser’s URL field:

http://www.mycalendar.com/mydata.asp?item=../../../../WINNT/win.ini

Directory Traversal

Directory Traversal

In the above example, the characters ‘../’ are used to access directories above the root directory. The hacker is experimenting to see if the WINNT directory is four levels up. If this is not the case, the hacker will try adding or subtracting ‘../’ characters. If a vulnerability exists in the Web application and the input is not filtered, the hacker will eventually find the correct sequence to access the WINNT directory and then can execute malicious commands.

Crafting Web Applications to Resist Attack

To avoid Directory Traversal attacks through user input, Web applications should filter and validate all inputs. Escape codes and directory paths should be filtered out to ensure that only safe inputs are passed to the Web server.

Web Server Attack Example

Possible areas of vulnerability in Web servers include scripts on the server and problems in the server software. For example, some versions of Microsoft IIS Web had vulnerabilities in the root directory validation code. Attackers could use a certain sequence of characters in a URL to execute scripts on the server.

An example of another type of vulnerability is shown in the URL below. The characters ‘%5c’ are a Web server escape code which is used to pass characters directly to the server.

http://www.mycalendar.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\

In this case, the escape code represents the character ‘\’. If a Web server does not check for escape characters, then the ‘\’ character will pass through. The request will cause the cmd.exe command shell program to be executed on the input string “dir c:\”, which will case the contents of the c: driver to be listed. The security of the system has now been compromised.

Up-to-date Web servers check for escape codes and block them from passing through. However, older versions of Web server software do not check for escape codes and are vulnerable to directory traversal and command execution via escape codes.

Hai Guy What about you..? Now You Got An Idea About it..!

About these ads

Comments Are Welcome

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s