25 lines
1.4 KiB
Plaintext
25 lines
1.4 KiB
Plaintext
=== Path traversal
|
|
|
|
A path(directory) traversal is a vulnerability where an attacker is able to access or store files and directories outside
|
|
the location where the application is running. This may lead to reading files from other directories and in case of a file
|
|
upload overwriting critical system files.
|
|
|
|
=== How does it work?
|
|
|
|
For example let's assume we have an application which hosts some files and they can be requested in the following
|
|
format: `http://example.com/file=report.pdf` now as an attacker you are interested in other files of course so
|
|
you try `http://example.com/file=../../../../../etc/passwd`. In this case you try walk up to the root of the filesystem
|
|
and then go into `/etc/passwd` to gain access to this file. The `../` is called dot-dot-slash which is another name
|
|
for this attack.
|
|
|
|
Of course this is a very simple example and in most cases this will not work as frameworks implemented controls for
|
|
this, so we need to get a little more creative and start encoding `../` before the request is sent to the server.
|
|
For example if we URL encode `../` you will get `%2e%2e%2f` and the web server receiving this request will decode
|
|
it again to `../`.
|
|
|
|
Also note that avoiding applications filtering those encodings double encoding might work as well. Double encoding
|
|
might be necessary in the case where you have a system A which calls system B. System A will only decode once and
|
|
will call B with the still encoded URL.
|
|
|
|
|