Directory Traversal Attack
Objective
Learn how to perform and understand directory traversal attacks, a vulnerability that allows attackers to access restricted directories and execute unauthorized commands. This lab demonstrates identifying, exploiting, and mitigating directory traversal vulnerabilities in a controlled environment.
Prerequisites
- Testing Environment:
- Set up a vulnerable web application using tools like DVWA (Damn Vulnerable Web Application) or bWAPP.
- Linux Environment:
- A Linux system or virtual machine with administrative privileges.
- Basic Networking and Web Knowledge:
- Familiarity with HTTP requests, web servers, and file systems.
- Burp Suite Installed (Optional):
- For advanced interception and testing.
Step 1: Understanding Directory Traversal
- What is Directory Traversal?
- An attack that exploits improper validation of user-supplied input.
- Allows access to restricted directories, potentially exposing sensitive files like
passwd
orconfig
.
- Common Indicators:
- URL or form fields accepting file paths (e.g.,
?file=example.txt
). - Improperly sanitized user input.
- URL or form fields accepting file paths (e.g.,
- Key Payloads:
- Relative paths with
../
to navigate directories. - Example:
../../../../etc/passwd
- Relative paths with
Step 2: Identifying Vulnerabilities
- Locate Input Fields:
- Look for parameters that accept file paths (e.g.,
?file=
or?page=
).
- Look for parameters that accept file paths (e.g.,
- Basic Testing:
- Submit payloads like
../
or../../etc/passwd
to the input field. - Observe the response for indications of success (e.g., readable content or errors).
- Submit payloads like
- Intercept Requests (Optional):
- Use Burp Suite to intercept and modify HTTP requests.
- Add payloads to test for traversal.
Example Request:
GET /vulnerable_app/?file=../../etc/passwd HTTP/1.1
Host: example.com
Step 3: Exploiting the Vulnerability
- Access Sensitive Files:
- Try payloads to access system files like:
../../../../etc/passwd ../../../../windows/system32/drivers/etc/hosts
- Try payloads to access system files like:
- Enumerate Application Files:
- Check for configuration files:
../../../../var/www/html/config.php ../../../../config/settings.yml
- Check for configuration files:
- Leverage File Inclusion:
- If the application supports file execution, attempt to execute malicious code.
Step 4: Mitigating Directory Traversal
- Validate Input:
- Use a whitelist of acceptable inputs.
- Reject suspicious characters like
../
and..\
.
- Sanitize User Input:
- Normalize paths before processing.
- Remove relative path characters.
- Use Secure APIs:
- Employ APIs that restrict file access to specific directories.
- Example: PHP’s
realpath()
.
- Least Privilege Principle:
- Run applications with minimal permissions.
- Monitor Logs:
- Regularly check logs for suspicious activity involving directory traversal attempts.
Step 5: Practical Exercise
Using DVWA
- Set the DVWA security level to Low.
- Navigate to the File Inclusion section.
- Test payloads:
../../../../etc/passwd ../../../../var/www/html/config.php
Using Burp Suite
- Intercept a request with a file path parameter.
- Modify the path to include traversal payloads.
- Observe the response for indications of success.
Additional Tips and Insights
- Automated Scanners:
- Use tools like Nikto or OWASP ZAP to identify directory traversal vulnerabilities.
- Custom Payloads:
- Experiment with encoding techniques:
- URL Encoding:
..%2F..%2F
. - Double Encoding:
%252e%252e%252f
.
- URL Encoding:
- Experiment with encoding techniques:
- Cross-Check Vulnerabilities:
- Validate results with manual testing to confirm exploitation.
- Regular Updates:
- Patch and update web applications to address known vulnerabilities.
Key Takeaways
- Directory traversal exploits improper validation of user input to access restricted files.
- Testing involves submitting relative path payloads and observing the application’s response.
- Implement input validation, sanitization, and secure APIs to mitigate the risk of traversal attacks.
- Always test in authorized environments to ensure ethical compliance.