Welcome back my enthusiastic hackers!
What is Directory Traversal?
Directory traversal, also known as file path traversal is a web application vulnerability that allows an attacker to read arbitrary files on the server where the web application is running.
Using a directory traversal attack, an attack can read application code, data, sensitive credentials for back-end systems, sensitive operating system files, and more.
Depending on the configuration, a directory traversal attack can also allow an attacker to write arbitrary files on the target server. This can allow the attacker to modify the application behavior or take full control of the server depending on which files are affected.
Read Arbitrary Files Via Directory Traversal
Let us now learn how we can read arbitrary files using directory traversal.
To follow along with this post, we recommend you have:
- Metasploitable 2 installed.
- or DVWA application.
If you you do not have Metasploitable 2 installed, you can check the link below.
Explaining Directory Traversal
Before we dive into action, let us understand how directory traversal works.
Consider a shopping application that displays images of items for sale. Images are loaded via some HTML like the following:
loadImage URL takes a
filename parameter and returns the contents of the specified file.
The image files themselves are stored on disk in the location
/var/www/images/. To return an image, the application appends the requested filename to this base directory and uses a filesystem API to read the contents of the file. In the above case, the application reads from the following file path:
The application implements no defenses against directory traversal attacks, so an attacker can request the following URL to retrieve an arbitrary file from the server's filesystem:
This causes the application to read from the following file path:
../ is valid within a file path, and means to step up one level in the directory structure. The three consecutive
../ sequences step up from
/var/www/images/ to the filesystem root, and so the file that is actually read is:
On Unix-based operating systems, this is a standard file containing details of the users that are registered on the server.
On Windows, both
..\ are valid directory traversal sequences, and an equivalent attack to retrieve a standard operating system file would be:
Source: Port Swigger Academy
Reading Files Using Directory Traversal - DVWA
To demonstrate how we can exploit a directory traversal vulnerability, we will use the Damn Vulnerable Web Application that comes with Metasploitable 2.
Start Metasploitable and login with the
msfadmin/msfadmin username and password combination.
Next, run the command below to get the IP address of the target machine, in this case, Metasploitable 2.
This should return the IP of metasploitable.
In this case, the IP of metasploitable is
Open your browser and navigate to the IP address you got from the above command. This should display the default page and allow you to select which web application you wish to load. In our case, we wish to load the DVWA app.
This should prompt you to login to the DVWA app. Use the
admin/password combination. Once logged, in set the difficulty level to low.
Low Difficulty Level
In DVWA, to exploit the directory traversal vulnerability of the DVWA app, go to the File Inclusion tab.
Here, change the URL from incude.php to ?page=../../../../../../etc/passwd.
Therefore, the URL should resemble something like this:
target-ip is the IP address of the metasploitable machine you copied earlier.
This should return the contents of the
/etc/passwd file as shown:
Medium Difficulty Level
Next, increase the security level of the DVWA application to Medium and attempt the above attack once again. You will notice that the attack does not work anymore.
This is because the application is now configured to filter for the
..\ patterns. This removes the ability for you to perform a direct directory traversal using absolute path.
However, we can still exploit the application by changing the path of include.php to /etc/passwd
In this case, the application returns the content of the file as we entered the path of the target file directly.
High Difficulty Level
If we change the security level of the application to HIGH, we will notice that none of the above attacks work anymore. This is because the application is now configured to only allow the inputs starting with the word
In this case, we can exploit the application by using the
file:// URI schema. Since it starts with the word
file, the application will allow it and fetch the contents of the target file.
In this case, we only need to change the the URL from include.php to ?page=file:///etc/passwd
And there you have it. You have learned how a directory traversal vulnerability works and how you can exploit using various techniques.
How to Prevent Directory Traversal Attacks
The following are some measures you can take to prevent against directory traversal attacks:
- Input validation and sanitization - Validate and sanitize user input to filter out potentially malicious characters.
- Use secure file handling API - Utilize secure file handling functions provided by your programming language or framework.
- Normalize and validate file paths - Ensure file paths conform to expected formats and remove any relative path elements.
- Enforce file system permissions - Set appropriate permissions to restrict access to sensitive files and directories.
- Implement access controls and authorization - Restrict user access based on roles and privileges.
- Employ a security framework: Use a web application security framework to protect against directory traversal attacks.
- Secure configuration - Configure your server and application to minimize vulnerabilities.
- Logging and monitoring - Implement comprehensive logging and monitoring to detect suspicious activities.
- Regular security assessments - Perform assessments and penetration testing to identify and address vulnerabilities.
Thank you for tuning to another episode of Web Security. In this one, we learned what is directory traversal, how it works, and how to exploit a directory traversal vulnerability using DVWA.
Feel free to leave your thoughts in the comment below or reach out to use to cover a given topic.
See you in the next one. Hack the World!!