Name |
Relative Path Traversal |
|
Likelyhood of attack |
Typical severity |
High |
High |
|
Summary |
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure. |
Prerequisites |
The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Survey application] Using a browser or an automated tool, an attacker follows all public links on a web site. They record all the links they find. They pick out the URL parameters that may related to access to files. |
- Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
- Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
- Use a browser to manually explore the website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery.
|
2 |
Experiment |
[Attempt variations on input parameters] Possibly using an automated tool, an attacker requests variations on the identified inputs. They send parameters that include variations of payloads. |
- Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as "../".
- Use a proxy tool to record results of manual input of relative path traversal probes in known URLs.
|
3 |
Exploit |
[Access, modify, or execute arbitrary files.] An attacker injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An attacker could be able to read directories or files which they are normally not allowed to read. The attacker could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the attacker accesses arbitrary files, they could also modify files. In particular situations, the attacker could also execute arbitrary code or system commands. |
- Manipulate file and its path by injecting relative path sequences (e.g. "../").
- Download files, modify files, or try to execute shell commands (with binary files).
|
|
Solutions | Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement Implementation: Perform input validation for all remote content, including remote and user-generated content. Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach. Implementation: Prefer working without user input when using file system calls Implementation: Use indirect references rather than actual file names. Implementation: Use possible permissions on file access when developing and deploying web applications. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-23 |
Relative Path Traversal |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-126 |
An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files. |
|