- All the theory here was extracted from PortSwigger Academy
What is path traversal?
Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. This might include:
- Application code and data.
- Credentials for back-end systems.
- Sensitive operating system files.
In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.
Reading arbitrary files via path traversal
Imagine a shopping application that displays images of items for sale. This might load an image using the following HTML:
<img src="/loadImage?filename=218.png">
Theย loadImageย URL takes aย filenameย parameter and returns the contents of the specified file. The image files are stored on disk in the locationย /var/www/images/. To return an image, the application appends the requested filename to this base directory and uses a filesystem API to read the contents of the file. In other words, the application reads from the following file path:
/var/www/images/218.png
This application implements no defenses against path traversal attacks. As a result, an attacker can request the following URL to retrieve theย /etc/passwdย file from the serverโs filesystem:
https://insecure-website.com/loadImage?filename=../../../etc/passwd
This causes the application to read from the following file path:
/var/www/images/../../../etc/passwd
The sequenceย ../ย is valid within a file path, and means to step up one level in the directory structure. The three consecutiveย ../ย sequences step up fromย /var/www/images/ย to the filesystem root, and so the file that is actually read is:
/etc/passwd
On Unix-based operating systems, this is a standard file containing details of the users that are registered on the server, but an attacker could retrieve other arbitrary files using the same technique.
On Windows, bothย ../ย andย ..\ย are valid directory traversal sequences. The following is an example of an equivalent attack against a Windows-based server:
https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini
Common obstacles to exploiting path traversal vulnerabilities
Many applications that place user input into file paths implement defenses against path traversal attacks. These can often be bypassed.
If an application strips or blocks directory traversal sequences from the user-supplied filename, it might be possible to bypass the defense using a variety of techniques.
You might be able to use an absolute path from the filesystem root, such asย filename=/etc/passwd, to directly reference a file without using any traversal sequences.
You also might be able to use nested traversal sequences, such asย ....//ย orย ....\/. These revert to simple traversal sequences when the inner sequence is stripped. (....//....//....//)
In some contexts, such as in a URL path or theย filenameย parameter of aย multipart/form-dataย request, web servers may strip any directory traversal sequences before passing your input to the application. You can sometimes bypass this kind of sanitization by URL encoding, or even double URL encoding, theย ../ย characters. This results inย %2e%2e%2fย andย %252e%252e%252fย respectively. Various non-standard encodings, such asย ..%c0%afย orย ..%ef%bc%8f, may also work.
For Burp Suite Professional users, Burp Intruder provides the predefined payload listย Fuzzing - path traversal. This contains some encoded path traversal sequences that you can try.
An application may require the user-supplied filename to start with the expected base folder, such asย /var/www/images. In this case, it might be possible to include the required base folder followed by suitable traversal sequences. For example:ย filename=/var/www/images/../../../etc/passwd.
An application may require the user-supplied filename to end with an expected file extension, such asย .png. In this case, it might be possible to use a null byte to effectively terminate the file path before the required extension. For example:ย filename=../../../etc/passwd%00.png.