Directory Traversal

Description

Directory Traversal (also referred to as Path Traversal) is a security vulnerability that allows attackers to access files or directories outside the intended scope of the web application's file system. This typically occurs when user input specifying a file path is not properly validated or sanitized. Attackers exploit this by inserting special directory traversal characters (e.g., ../) to climb up the directory tree and reveal sensitive system files or application data.

Directory Traversal is often seen in scenarios where applications allow users to download or view files by passing a file name or path as a parameter. If the application's back-end logic simply appends user-provided input to a base directory without further checks, malicious actors can manipulate this path to break out of the expected directory structure. Consequences include unauthorized reading of server files, exposure of credentials, or further exploitation of the host machine.

Directory Traversal vs. Local File Inclusion (LFI)

Directory Traversal lets attackers access arbitrary files by navigating outside intended directories (e.g., /etc/passwd). Local File Inclusion (LFI) allows inclusion of local files in web applications, potentially leading to code execution. While both expose sensitive data, LFI can be more dangerous if exploited for execution.

Examples

Simple ../ Attack

An application might allow users to specify a filename via a URL parameter:

https://example.com/getFile?name=report.pdf

If the server code concatenates name with a directory path, for example "/var/www/files/" + name, and does not sanitize the input, an attacker could send:

https://example.com/getFile?name=../../etc/passwd

This might expose the content of /etc/passwd (if permissions allow), providing sensitive information about user accounts on the server.

Windows Environments

On Windows servers, directory traversal often uses backslashes (..\) instead of forward slashes. For instance:

https://example.com/getFile?name=..\\..\\Windows\\System32\\config\\SAM

which could reveal critical system registry data under certain conditions.

Chained with Other Vulnerabilities

Directory Traversal vulnerabilities can sometimes be chained with other attacks:

  • Local File Inclusion (LFI): An attacker can leverage path traversal in an LFI scenario to include sensitive files in the application's output or potentially execute scripts.
  • Log File Poisoning: If an application allows manipulation of file paths and logs, an attacker may inject malicious content into logs and then retrieve or execute that content via directory traversal.

Remediation

  1. Strict Input Validation and Sanitization

    • Remove or encode any directory traversal sequences (e.g., ../ or ..\) from user inputs.
    • Restrict file names to alphanumeric characters and whitelisted file extensions when possible.

  2. Use Secure File Handling Mechanisms

    • Rely on server-side logic that enforces a predefined file directory or store allowed file references in a secure mapping.
    • Avoid passing raw user input directly into file system calls. Instead, map user-requested filenames to verified internal paths.

  3. Enforce Least Privilege and Directory Restrictions

    • Run the application with the minimum privileges necessary.
    • Configure your web server and file system so that the application process has access only to the directories it needs. For instance, use mechanisms like chroot jails, SELinux policies, or Docker containers to confine the application's file system access.

  4. Use Built-In Security Features

    • If your programming language or framework offers built-in file handling functions with path normalization or sandboxing, leverage them.
    • For instance, in Java, java.nio.file.Files and java.nio.file.Paths can help normalize paths and reduce the risk of directory traversal.