Directory traversal is a vulnerability that occurs when developers improperly use user-supplied input to fetch files from the underlying operating system. As you may know, the special characters ../ (dot-dot-slash) will traverse back one directory in a file path. If this string is used without proper sanitation to retrieve files, an attacker can exploit this to retrieve sensitive files by navigating up or down the file structure.
For example, using ../ allows you to go one directory up from the current one.
🧭 Exploiting Directory Traversal
If you see an application utilizing user-supplied input to fetch files, you should immediately test to see if it’s vulnerable to directory traversal. This can be fairly easy to spot.
Identifying a Vulnerable Endpoint
A common indicator is a URL that uses a GET parameter to load a file:
https://example.com/?page=index.html
In this example, there is a GET parameter called page which is used to load the contents of index.html. If improperly implemented, attackers can leverage the ../ technique to load any file they want.
The Attack Mechanism
In the application’s code, the GET parameter page is loaded into a variable, which is then used by a function to open and read the file’s contents to the page. If there are no additional checks (like removing the ../ characters or ensuring the path stays within an allowed directory), it can be exploited.
Proof of Concept (PoC)
To exploit this, an attacker provides a payload designed to move several directories up until the root of the file system is reached, and then specify the path to a known sensitive file.
By repeatedly using ../, you can traverse back up the file system hierarchy until you are at the root, and then access a sensitive file like the Linux user account information file:
../../../../etc/passwd
As you can see, the vulnerability was exploited to retrieve the /etc/passwd file from the operating system. In case you didn’t know, the /etc/passwd file is used to store information on each user account in a Linux system.
Summary
Directory traversal is an easy bug for developers to mess up if they aren’t thinking correctly when coding. If an application uses user-supplied input to interact with files on the system, there is a high chance the endpoint is vulnerable to directory traversal.
If you do find this vulnerability, make sure to look for sensitive files like:
- Configuration files (which may contain credentials or API keys)
- Application source code (to find other vulnerabilities)
- Files that could be overwritten (especially if the vulnerability is found in an upload functionality, potentially leading to Remote Code Execution).
