Stop Attackers From Moving Around Your Server
When an attacker gains access to a web server, they often attempt to move around the server to find sensitive information. One way they can do this is by using a technique called directory traversal. Directory traversal is when an attacker uses the directory structure of a website to their advantage.
By exploiting how web servers handle requests, an attacker can access files and directories that they should not have access to. To access a file, the file’s path must be known. The path can be absolute, which specifies the full path from the root directory, or relative, which specifies the path from the current directory. This can lead to the disclosure of sensitive information, such as passwords, financial information, and more.
Reading Files using Directory traversal
In this blog, we will check out different ways directory traversal can be used to access the file systems. For instance, let us consider an e-commerce application that displays images of its products using an
<img> HTML tag.
< img src=”/products/img?file=9re.png”>
In the above tag, the
/products/img directory has a parameter known as “file” which holds the name of the file. This file can then be retrieved from the
/products/img directory via the file name. By default, a web server in any Linux system considers
/var/www as its default directory. So in our case, the images are stored in
/var/www/products/img, In this case, the application has read the file from the directory given below
This shows that the application has no defenses against directory traversal attack, the attacker can use the file retrieving parameter and can request any file from the server
For instance, if the attacker wants to check the contents of the
/etc/passwd page, the malicious URL looks like the one below.
In the above URL, the
../ command is used to go back to the previous directory, so in our case, the file system goes back through multiple directories, to the root directory, and retrieves the
You might find some security mechanisms during the exploitation, which can be bypassed using any one of the following ways.
If the server is expecting a .png file extension and any file except png is rejected, a workaround could be to use a null byte to bypass the filter and extract the file, as seen in the below URL:
Another way is to Single or double encode the URL. Some web servers discard any known directory traversal paths before accepting the values, by using URL encoding, an attacker can bypass the security filter and gain access to the internal file system. The URL looks like the one below:
Directory traversal prevention measures
Looking to expand your knowledge of penetration testing? Check out our online course, MPT - Certified Penetration Tester. In this course, you’ll learn about the different aspects of penetration testing and how to put them into practice.