What is directory traversal?

Some web applications give you access to directories containing files you are allowed to display or download.

Imagine a web app that lets users share images of their custom skateboards or bikes. Images uploaded by the site’s users could be all stored in a given directory.

If you click on one of these images, say on the site’s catalog pages, you’ll access the image and your browser’s address bar will display something like this:
http://targetsite.com/get.php?file=bike_photo.jpg

Now suppose you want to access files located elsewhere in the server’s file system, such as sensitive files containing details on the server, the users, or even login credentials (for the sake of this example, let’s assume you want to display the content of the passwd file, that contains details on the users of a linux system).

You could try to abuse the URL with a directory traversal technique. This will let you access files, using the web application’s privileges on the system.

How do you do it?

A web application will often hold its files in /var/www/app.

Directory traversal is when you navigate the directory tree by adding one on several ../ sequences in the URL. Each of them will move you one step up the directory tree. Once you are at the root of the file system, you can navigate down to the file you want.

For a web site hosted on a linux server, the URL will look like this:
http://targetsite.com/get.php?file=../../../../etc/passwd

Note that once you are at the root of the file system, extra ../ sequences will have no effect as you can’t go anywhere higher.
So if you are unsure where exactly the directory you have access to is located, you can safely add a few extra ../ sequences to be sure to hit the root of the file system before navigating down to the file you want.

How about Windows?

If you are targeting a web application hosted on a Windows server, directory traversal still works. But you have to adjust the syntax.

Suppose you want to display the boot.ini file located in c:\boot.ini, then try one of the following:

http://webapp.thm/get.php?file=../../../../boot.ini

http://webapp.thm/get.php?file=../../../../windows/win.ini

Not always this easy…

As usual, real life situations will not be as easy as the theory outlined here. Web developers will usually include filters that will spot and neutralize directory traversal attempts.

As an example, some web apps will identify and eliminate ../ sequences in the URL requested by users.

In this case, instead of using this path:
../../../etc/passwd
try using
....//....//....//etc/passwd

If the filter reads the URL sequentially, eliminating the ../ sequences will leave you with the original sequence. If a second check is not performed, your URL will get past the filter.

This is just an example. There are many possible ways of filtering directory traversal attempts and – thankfully – many ways to circumvent these filters.

As a final note, using a directory traversal technique will be particularly helpful when attempting to exploit local file inclusion vulnerabilities (LFI). You’ll find details here.

Hi! I'm a tech journalist, getting my feet wet in ethical hacking. What you will find here is me taking notes on the tools and techniques I’m learning and offering answers to the questions I had when I first got started not so very long ago.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top