14 Фев, 2024

Path Traversal

In the world of information technology and web development, security is critical. However, despite the constant development of security techniques, vulnerabilities continue to be a pressing issue, putting data confidentiality and integrity at risk. One such vulnerability commonly found in web applications is “Path Traversal”.

Description

Path Traversal, also known as Directory Traversal, is an attack on a web application that aims to gain unauthorised access to a server’s file system. This vulnerability occurs due to insufficient validation and filtering of user input when generating file and directory paths.

The basic idea of the attack is to use specially constructed string values containing characters such as “../” to navigate to parent directories and bypass access restrictions set by the web application. By manipulating file or directory paths, an attacker can gain access to sensitive data, including configuration files, passwords, and other sensitive resources residing on the server.

For example, imagine a web application that allows files to be uploaded to the server and stored in a specific directory. If the application does not check user input for “../” or equivalent characters, an attacker could construct the URL request in such a way as to access a directory above the one in which the uploaded files should be stored. This can lead to the ability to view, modify or even delete files, compromising data confidentiality and integrity.

Such attacks can have serious consequences for web applications and organisations, including leakage of sensitive information, compromise of user data, breach of data protection legislation and reputational damage. Understanding and defending against Path Traversal is therefore a critical aspect of cyber security.

Примеры эксплуатации

To better understand the Path Traversal vulnerability, let’s take a look at one of the labs from PortSwigger, a renowned name in web security. In this lab, it is proposed to exploit the Path Traversal vulnerability in a web application to gain access to protected files or directories.

Let’s start by just exploring the site.

This website is supposedly some kind of online shop, which as we can see has some pictures on it. Opening one of the photos in a new tab you can see this path in the url:

Let’s break this URL down in more detail:

				
					https://x.web-security-academy.net/image?filename=1.jpg
				
			

This URL leads to a web application that displays the images passed via the filename parameter. The value of this parameter(1.jpg) points to the file that the application should download and display.

However, if we change the value of the filename parameter to ../../../etc/passwd, it creates a dangerous situation due to the Path Traversal vulnerability.

Let me explain:

• ../../../ is the character used to jump to the parent directory.

/etc/passwd is a file on Unix-like operating systems that contains user information.

So when we add ../../../etc/passwd instead of 1.jpg, the request tries to access the /etc/passwd file on the server. If the web application is vulnerable to a Path Traversal attack, this would allow an attacker to read the contents of the /etc/passwd file, which typically contains information about system users such as their names and home directories.

Let’s intercept this request with burp!

This query response shows that the server successfully returned the contents of the /etc/passwd file, which confirmed the vulnerability on the service!

Scanners that detect vulnerabilities

  1. Nessus is a widely used vulnerability scanner that can detect a wide range of vulnerabilities, including Path Traversal. It offers both free and paid versions.

  2. OpenVAS (Open vulnerability assessment System) is an open-source vulnerability scanner that can detect vulnerabilities in networks and applications, including Path Traversal.

  3. Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple items, including Path Traversal vulnerabilities.

  4. Burp Suite is a popular toolkit for web application security testing. It includes a scanner module that can automatically detect various vulnerabilities, including Path Traversal, through its active and passive scanning features.

  5. Acunetix is a web vulnerability scanner that can identify a wide range of vulnerabilities, including Path Traversal, in web applications.

  6. OWASP ZAP is a widely used open-source web application security testing tool. It includes features for finding vulnerabilities like Path Traversal through both automated and manual testing.

  7. Qualys provides a vulnerability management platform that includes scanning capabilities to detect Path Traversal vulnerabilities and other security issues in networks and web applications.

  8. Cryeye is a AMAZON WEB SERVICES tool including cloud auditnetwork security analysis, and more in cyber security. It includes features to find vulnerabilities such as Path Traversal and many other known vulnerabilities through automated testing.

Average CVSS score for Path Traversal vulnerability

The Common Vulnerability Scoring System (CVSS) is a standardized system for assessing the severity of vulnerabilities. The CVSS score ranges from 0.0 to 10.0, with 10.0 being the most severe. The average CVSS score for Path Traversal vulnerabilities can vary depending on factors such as the impact of the vulnerability, the ease of exploitation, and the potential for damage.

In general, Path Traversal vulnerabilities are considered to be moderately severe to severe, as they can allow attackers to access sensitive files and directories on a system, leading to information disclosure, data loss, or even system compromise. As such, the average CVSS score for Path Traversal vulnerabilities often falls within the range of 5.0 to 8.0.

However, it’s essential to note that the CVSS score for any specific vulnerability can vary based on the context in which it is found, including the affected system, the level of access required to exploit it, and the potential impact on confidentiality, integrity, and availability of the system. Therefore, it’s crucial to assess each vulnerability individually and consider its unique characteristics when assigning a CVSS score.

CVES related to Path Traversal

CVE-2018-11776 Path Traversal vulnerability in Apache Struts 2, allowing remote attackers to bypass access restrictions and execute arbitrary code via a specially crafted URL.

CVE-2019-0232 Path Traversal and Remote Code Execution (RCE) vulnerability in Apache Tomcat, allowing remote attackers to execute arbitrary code by providing a specially crafted URL.

CVE-2019-5420 Path Traversal vulnerability in Ruby on Rails, allowing remote attackers to bypass access restrictions and view arbitrary files on the server.

CVE-2020-11651 / CVE-2020-11652 Path Traversal and Authentication Bypass vulnerabilities in SaltStack Salt, allowing remote attackers to execute arbitrary commands on the server.

CVE-2021-22600 Path Traversal vulnerability in VMware vRealize Business for Cloud, allowing remote attackers to view arbitrary files on the server.

CVE-2021-44228 / CVE-2021-45046 Path Traversal and Remote Code Execution (RCE) vulnerabilities in Apache Log4j 2, allowing remote attackers to execute arbitrary code via a specially crafted log message.

CVE-2022-23812 Path Traversal vulnerability in JetBrains TeamCity, allowing remote attackers to view arbitrary files on the server.

To study Path Traversal

Академия веб - безопасности PortSwigger

PortSwigger offers a range of interactive labs and exercises covering various web security topics, including Path Traversal. You can find hands-on exercises that allow you to practice exploiting and mitigating Path Traversal vulnerabilities.

OWASP WebGoat and Juice Shop

OWASP (Open Web Application Security Project) provides deliberately insecure web applications like WebGoat and Juice Shop, which contain exercises and challenges related to web security vulnerabilities, including Path Traversal. You can set up these applications locally or use online versions to practice.

Hack The Box and TryHackMe

Platforms like Hack The Box and TryHackMe offer virtual labs and challenges covering a wide range of security topics, including web security. You can find machines and challenges related to Path Traversal vulnerabilities, where you can practice your skills in a safe environment.

Online tutorials and write-ups

Many security researchers and enthusiasts share tutorials, write-ups, and walkthroughs of exploiting Path Traversal vulnerabilities on platforms like Medium, GitHub, and personal blogs. These resources can provide valuable insights and practical examples.

Конференции и семинары по вопросам безопасности

Attend security conferences, workshops, and training sessions where experts share their knowledge and experience in web security. These events often include hands-on labs and exercises focused on various security vulnerabilities, including Path Traversal.

How to be protected from Path Traversal

Implement strict input validation and sanitization techniques to ensure that user-supplied input used to construct file paths is properly validated and sanitized. This includes validating input against a whitelist of allowed characters and rejecting any input that contains potentially dangerous characters such as “../”.

Instead of directly using user-supplied input to construct file paths, consider using whitelists or allow lists to specify acceptable file paths or directories. This approach limits the potential for unauthorized access to files outside the intended scope.

Ensure that the web server and application have the minimum necessary permissions to access files and directories. Restrict access permissions to sensitive files and directories to only those users or processes that require it.

Many web application frameworks provide built-in security features and controls to mitigate common vulnerabilities, including Path Traversal. Familiarize yourself with the security features of the framework you are using and ensure they are properly configured and utilized.

Implement secure file system configurations to prevent unauthorized access to sensitive files and directories. This may include setting appropriate file and directory permissions, disabling directory listing, and using chroot jails or containers where appropriate.

Keep all software components, including web servers, application frameworks, and libraries, up to date with the latest security patches and updates. Vulnerabilities in software components can often be exploited to facilitate Path Traversal attacks.

Deploy a WAF to help detect and block malicious requests that attempt to exploit Path Traversal vulnerabilities. WAFs can be configured to inspect incoming requests and block those that exhibit suspicious behavior indicative of a Path Traversal attack.

Заключение

Path Traversal vulnerabilities pose a significant threat to the security of web applications, as they can be exploited by attackers to gain unauthorized access to sensitive files and directories on the server. Throughout this article, we have explored the nature of Path Traversal vulnerabilities, their potential impact on web applications, and strategies to mitigate the risk of exploitation.

Effective protection against Path Traversal vulnerabilities requires a multi-layered approach that involves implementing robust input validation and sanitization, using whitelists for file access, applying the principle of least privilege, and securing the file system configuration. Additionally, keeping software components up to date, deploying web application firewalls, and conducting regular security testing and code reviews are essential practices to help identify and address vulnerabilities before they can be exploited.

By prioritizing security measures and adopting proactive security practices, organizations can effectively mitigate the risk of Path Traversal vulnerabilities and enhance the overall security posture of their web applications. It is imperative for developers, security professionals, and organizations alike to remain vigilant and stay informed about emerging threats and best practices in web application security to effectively defend against evolving cyber threats, including Path Traversal vulnerabilities.

Другие Услуги

Готовы к безопасности?

Связаться с нами