Posts Categories Tags About Me

Contents

🧠🌐 Path Traversal

Exploring 'Path Traversal' in Web Security

mH4ck3r0n3 Learning/Web Security/Vulnerabilities/Path Traversal
   659 words   4 minutes 

/images/Learning/WebSecurity/preview.jpeg
Cover Picture

📌 Introduction

In this article, we will analyze the ‘Path Traversal’ vulnerability. We will go through theory, attack techniques, and practical solutions while also discussing mitigation strategies to secure applications.

📚 Main Contents

What is Path Traversal?

Path Traversal, also known as Directory Traversal (CWE-35), is a vulnerability that allows an attacker to read arbitrary files present on the server hosting a web application. In some cases, this vulnerability can even allow an attacker to write files or modify their paths, altering the behavior of the web application or, in the worst-case scenario, completely compromising the server.

How does it work?

Let’s imagine having a web application that allows users to search for images and display them on a page. After performing a search, the URL might change to:

1

https://example.com/?search=example.png

The search parameter specifies the name of the image to be loaded. The application logic expects that the image example.png, if present on the server, will be displayed within the page through the following HTML code:

1

<img src="example.png_path">

Where example.png_path will be replaced with the actual file path of the image on the server. The path depends on the directory where the .html file we are viewing resides. The application might not have proper protections on the search parameter. This means that by specifying a different path, we can access arbitrary files present on the server.

🛠️ Exploiting the Vulnerability

A common test to check for this vulnerability is to try accessing the /etc/passwd file (if the web server is running on Linux), which is present on nearly all Linux systems and contains information about the system’s users.

Since the /etc directory is located under the root / of the filesystem, we can try moving up through the directories using ../, which allows us to go backward in the filesystem. However, it is important to note that on a Linux system, it is not possible to go above the root / directory because it represents the highest point in the filesystem hierarchy.

To access the /etc/passwd file, we can use the following payload:

1

../../../../../../etc/passwd

This method exploits the fact that, regardless of the current directory depth, the system will ignore any excess ../ and attempt to resolve the resulting absolute path.

By inserting this into the URL:

1

https://example.com/?search=../../../../../../etc/passwd

If the application is vulnerable, instead of the expected image, the contents of the /etc/passwd file will be displayed.

🔐 Mitigation & Prevention

To protect an application from Path Traversal attacks, the following measures can be adopted:

  • Input validation: Ensure that the parameter only accepts valid filenames, preventing the use of special characters like ../.
  • File whitelist: Limit access only to specific and predefined files.
  • Use of absolute paths: Avoid referencing relative paths and ensure that files are only loaded from authorized directories.
  • Correct permissions configuration: Limit access to sensitive files and ensure that the web server has the minimal privileges necessary.

Path Traversal is a critical vulnerability, but it can be easily mitigated with proper input validation and careful server configuration.

🎯 Final Thoughts

Path Traversal is a fairly simple vulnerability, but it’s crucial to know for Web Exploitation. It can even be used (if present) to build a chain of multiple vulnerabilities. This is actually a process known to increase the severity and try to build something bigger.

🔹 Always test applications in a controlled environment to safely explore security flaws.
🔹 Keep learning and stay updated with new attack techniques and defenses! 🚀

📜 Practical Labs

  1. File path traversal, simple case
  2. File path traversal, traversal sequences blocked with absolute path bypass
  3. File path traversal, traversal sequences stripped non-recursively
  4. File path traversal, traversal sequences stripped with superfluous URL-decode
  5. File path traversal, validation of start of path
  6. File path traversal, validation of file extension with null byte bypass

Explore the path traversal tag as well, maybe you’ll find some interesting challenges.

📚 Resources & Further Reading

🔗 PortSwigger Path Traversal
🔗 OWASP Path Traversal

Updated on 30/03/2025
Read Markdown
 🚶 Path Traversal🧠 Learning⚔️🛡️ Cybersecurity🌐 Web Security
Back | Home