Some web applications give you access to directories containing files you are allowed to display or download.
Imagine a web app that lets users share images of their custom skateboards or bikes. Images uploaded by the site’s users could be all stored in a given directory.
If you click on one of these images, say on the site’s catalog pages, you’ll access the image and your browser’s address bar will display something like this:
Now suppose you want to access files located elsewhere in the server’s file system, such as sensitive files containing details on the server, the users, or even login credentials (for the sake of this example, let’s assume you want to display the content of the
passwd file, that contains details on the users of a linux system).
You could try to abuse the URL with a directory traversal technique. This will let you access files, using the web application’s privileges on the system.
How do you do it?
A web application will often hold its files in
Directory traversal is when you navigate the directory tree by adding one on several
../ sequences in the URL. Each of them will move you one step up the directory tree. Once you are at the root of the file system, you can navigate down to the file you want.
For a web site hosted on a linux server, the URL will look like this:
Note that once you are at the root of the file system, extra
../ sequences will have no effect as you can’t go anywhere higher.
So if you are unsure where exactly the directory you have access to is located, you can safely add a few extra
../ sequences to be sure to hit the root of the file system before navigating down to the file you want.
How about Windows?
If you are targeting a web application hosted on a Windows server, directory traversal still works. But you have to adjust the syntax.
Suppose you want to display the
boot.ini file located in
c:\boot.ini, then try one of the following:
Not always this easy…
As usual, real life situations will not be as easy as the theory outlined here. Web developers will usually include filters that will spot and neutralize directory traversal attempts.
As an example, some web apps will identify and eliminate
../ sequences in the URL requested by users.
In this case, instead of using this path:
If the filter reads the URL sequentially, eliminating the
../ sequences will leave you with the original sequence. If a second check is not performed, your URL will get past the filter.
This is just an example. There are many possible ways of filtering directory traversal attempts and – thankfully – many ways to circumvent these filters.
As a final note, using a directory traversal technique will be particularly helpful when attempting to exploit local file inclusion vulnerabilities (LFI). You’ll find details here.