Directory Traversal Attack

Directory Traversal Attack

Objective

Learn how to perform and understand directory traversal attacks, a vulnerability that allows attackers to access restricted directories and execute unauthorized commands. This lab demonstrates identifying, exploiting, and mitigating directory traversal vulnerabilities in a controlled environment.


Prerequisites

  1. Testing Environment:
    • Set up a vulnerable web application using tools like DVWA (Damn Vulnerable Web Application) or bWAPP.
  2. Linux Environment:
    • A Linux system or virtual machine with administrative privileges.
  3. Basic Networking and Web Knowledge:
    • Familiarity with HTTP requests, web servers, and file systems.
  4. Burp Suite Installed (Optional):
    • For advanced interception and testing.

Step 1: Understanding Directory Traversal

  1. What is Directory Traversal?
    • An attack that exploits improper validation of user-supplied input.
    • Allows access to restricted directories, potentially exposing sensitive files like passwd or config.
  2. Common Indicators:
    • URL or form fields accepting file paths (e.g., ?file=example.txt).
    • Improperly sanitized user input.
  3. Key Payloads:
    • Relative paths with ../ to navigate directories.
    • Example:
      ../../../../etc/passwd
      

Step 2: Identifying Vulnerabilities

  1. Locate Input Fields:
    • Look for parameters that accept file paths (e.g., ?file= or ?page=).
  2. Basic Testing:
    • Submit payloads like ../ or ../../etc/passwd to the input field.
    • Observe the response for indications of success (e.g., readable content or errors).
  3. Intercept Requests (Optional):
    • Use Burp Suite to intercept and modify HTTP requests.
    • Add payloads to test for traversal.

Example Request:

GET /vulnerable_app/?file=../../etc/passwd HTTP/1.1
Host: example.com

Step 3: Exploiting the Vulnerability

  1. Access Sensitive Files:
    • Try payloads to access system files like:
      ../../../../etc/passwd
      ../../../../windows/system32/drivers/etc/hosts
      
  2. Enumerate Application Files:
    • Check for configuration files:
      ../../../../var/www/html/config.php
      ../../../../config/settings.yml
      
  3. Leverage File Inclusion:
    • If the application supports file execution, attempt to execute malicious code.

Step 4: Mitigating Directory Traversal

  1. Validate Input:
    • Use a whitelist of acceptable inputs.
    • Reject suspicious characters like ../ and ..\.
  2. Sanitize User Input:
    • Normalize paths before processing.
    • Remove relative path characters.
  3. Use Secure APIs:
    • Employ APIs that restrict file access to specific directories.
    • Example: PHP’s realpath().
  4. Least Privilege Principle:
    • Run applications with minimal permissions.
  5. Monitor Logs:
    • Regularly check logs for suspicious activity involving directory traversal attempts.

Step 5: Practical Exercise

Using DVWA

  1. Set the DVWA security level to Low.
  2. Navigate to the File Inclusion section.
  3. Test payloads:
    ../../../../etc/passwd
    ../../../../var/www/html/config.php
    

Using Burp Suite

  1. Intercept a request with a file path parameter.
  2. Modify the path to include traversal payloads.
  3. Observe the response for indications of success.

Additional Tips and Insights

  1. Automated Scanners:
    • Use tools like Nikto or OWASP ZAP to identify directory traversal vulnerabilities.
  2. Custom Payloads:
    • Experiment with encoding techniques:
      • URL Encoding: ..%2F..%2F.
      • Double Encoding: %252e%252e%252f.
  3. Cross-Check Vulnerabilities:
    • Validate results with manual testing to confirm exploitation.
  4. Regular Updates:
    • Patch and update web applications to address known vulnerabilities.

Key Takeaways

  1. Directory traversal exploits improper validation of user input to access restricted files.
  2. Testing involves submitting relative path payloads and observing the application’s response.
  3. Implement input validation, sanitization, and secure APIs to mitigate the risk of traversal attacks.
  4. Always test in authorized environments to ensure ethical compliance.

Explore Next

Using Scanless for Easy Anonymous Port Scanning

Other Projects