Development

What is Directory Traversal Vulnerability

Captain Salem 5 min read

What is Directory Traversal Vulnerability?

Welcome back my enthusiastic hackers!

In this tutorial, we are going to explore one of the most common web application vulnerabilities known as a directory traversal. We will learn what directory traversal is, how to perform a directory traversal attack, the various obstacles when testing out directory traversal attacks, and explain some measures you can take to mitigate against directory traversal.

What is Directory Traversal?

Directory traversal, also known as file path traversal is a web application vulnerability that allows an attacker to read arbitrary files on the server where the web application is running.

Using a directory traversal attack, an attack can read application code, data, sensitive credentials for back-end systems, sensitive operating system files, and more.

Depending on the configuration, a directory traversal attack can also allow an attacker to write arbitrary files on the target server. This can allow the attacker to modify the application behavior or take full control of the server depending on which files are affected.

Read Arbitrary Files Via Directory Traversal

Let us now learn how we can read arbitrary files using directory traversal.

Requirements

To follow along with this post, we recommend you have:

  • Metasploitable 2 installed.
  • or DVWA application.

If you you do not have Metasploitable 2 installed, you can check the link below.

https://www.geekbits.io/how-to-setup-metasploitable-on-vmware/

Explaining Directory Traversal

Before we dive into action, let us understand how directory traversal works.

Consider a shopping application that displays images of items for sale. Images are loaded via some HTML like the following:

<img src="/loadImage?filename=218.png">

The loadImage URL takes a filename parameter and returns the contents of the specified file.

The image files themselves are stored on disk in the location /var/www/images/. To return an image, the application appends the requested filename to this base directory and uses a filesystem API to read the contents of the file. In the above case, the application reads from the following file path:

/var/www/images/218.png

The application implements no defenses against directory traversal attacks, so an attacker can request the following URL to retrieve an arbitrary file from the server’s filesystem:

https://target.app/loadImage?filename=../../../etc/passwd

This causes the application to read from the following file path:

/var/www/images/../../../etc/passwd

The sequence ../ is valid within a file path, and means to step up one level in the directory structure. The three consecutive ../ sequences step up from /var/www/images/ to the filesystem root, and so the file that is actually read is:

/etc/passwd

On Unix-based operating systems, this is a standard file containing details of the users that are registered on the server.

On Windows, both ../ and ..\ are valid directory traversal sequences, and an equivalent attack to retrieve a standard operating system file would be:

https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini

Source: Port Swigger Academy

Reading Files Using Directory Traversal - DVWA

To demonstrate how we can exploit a directory traversal vulnerability, we will use the Damn Vulnerable Web Application that comes with Metasploitable 2.

Start Metasploitable and login with the msfadmin/msfadmin username and password combination.

Next, run the command below to get the IP address of the target machine, in this case, Metasploitable 2.

ifconfig

This should return the IP of metasploitable.

image-20230717021708330
image-20230717021708330

In this case, the IP of metasploitable is 192.168.10.128.

Open your browser and navigate to the IP address you got from the above command. This should display the default page and allow you to select which web application you wish to load. In our case, we wish to load the DVWA app.

image-20230717021825411
image-20230717021825411

This should prompt you to login to the DVWA app. Use the admin/password combination. Once logged, in set the difficulty level to low.

image-20230717022006312
image-20230717022006312

Low Difficulty Level

In DVWA, to exploit the directory traversal vulnerability of the DVWA app, go to the File Inclusion tab.

image-20230717022111965
image-20230717022111965

Here, change the URL from incude.php to ?page=../../../../../../etc/passwd.

Therefore, the URL should resemble something like this:

http://target-ip/dvwa/vulnerabilities/fi/?page=../../../../../etc/passwd

Where the target-ip is the IP address of the metasploitable machine you copied earlier.

This should return the contents of the /etc/passwd file as shown:

image-20230717022352593
image-20230717022352593

Medium Difficulty Level

Next, increase the security level of the DVWA application to Medium and attempt the above attack once again. You will notice that the attack does not work anymore.

This is because the application is now configured to filter for the ../ or ..\ patterns. This removes the ability for you to perform a direct directory traversal using absolute path.

However, we can still exploit the application by changing the path of include.php to /etc/passwd

http://target-ip/dvwa/vulnerabilities/fi/?page=/etc/passwd

In this case, the application returns the content of the file as we entered the path of the target file directly.

High Difficulty Level

If we change the security level of the application to HIGH, we will notice that none of the above attacks work anymore. This is because the application is now configured to only allow the inputs starting with the word file

In this case, we can exploit the application by using the file:// URI schema. Since it starts with the word file, the application will allow it and fetch the contents of the target file.

In this case, we only need to change the the URL from include.php to ?page=file:///etc/passwd

http://target-ip/dvwa/vulnerabilities/fi/?page=file:///etc/passwd

And there you have it. You have learned how a directory traversal vulnerability works and how you can exploit using various techniques.

How to Prevent Directory Traversal Attacks

The following are some measures you can take to prevent against directory traversal attacks:

  1. Input validation and sanitization - Validate and sanitize user input to filter out potentially malicious characters.
  2. Use secure file handling API - Utilize secure file handling functions provided by your programming language or framework.
  3. Normalize and validate file paths - Ensure file paths conform to expected formats and remove any relative path elements.
  4. Enforce file system permissions - Set appropriate permissions to restrict access to sensitive files and directories.
  5. Implement access controls and authorization - Restrict user access based on roles and privileges.
  6. Employ a security framework: Use a web application security framework to protect against directory traversal attacks.
  7. Secure configuration - Configure your server and application to minimize vulnerabilities.
  8. Logging and monitoring - Implement comprehensive logging and monitoring to detect suspicious activities.
  9. Regular security assessments - Perform assessments and penetration testing to identify and address vulnerabilities.

Conclusion

Thank you for tuning to another episode of Web Security. In this one, we learned what is directory traversal, how it works, and how to exploit a directory traversal vulnerability using DVWA.

Feel free to leave your thoughts in the comment below or reach out to use to cover a given topic.

See you in the next one. Hack the World!!

Share
About the author
Captain Salem

Captain Salem

Reverse engineering all the complex functions into smaller, easy to digest components for your benefit. Basement Monkey & Nerd!
View all
Comments
More from Cloudenv

Cloudenv

Developer Tips, Tricks and Tutorials.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Cloudenv.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.