What is Path Traversal?
This attack, also known as Directory Traversal, aims to access files that the admin should not have unintentionally permission to access, or files that were open at the time but were not deleted even though the redirect button was removed on the page, and the section we will reach is the directories stored outside the web root folder (such as the username password file).
We need to use files that can be absolute, or variations specific to these files, so when we make this attack, we must know the operating system used on the website to which we connect with passive search, and accordingly we will have made our attempts more targeted.
This vulnerbility is not to see simple system files when we access a file we may have the chance to change our permissions on this file and thus act as an admin in the system thanks to privilege escalation in the system and have the chance to cause much greater damage to the system.
We need to use files that can be absolute, or variations specific to these files, so when we make this attack, we must know the operating system used on the website to which we connect with passive search, and accordingly we will have made our attempts more targeted.
This vulnerbility is not to see simple system files when we access a file we may have the chance to change our permissions on this file and thus act as an admin in the system thanks to privilege escalation in the system and have the chance to cause much greater damage to the system.
We come to our Bwapp Directory Traversal File section
As we see in the section we opened, the php file calls a parameter.
The point we need to think about here is that if I can call files from this operating system, can I access files that do not have permission to access. We have already learned your operating system, I will experiment with the linux operating system.
I do experiments like this because of this.. It allows us to go back to a one with the / sign i.e. cd on linux.. command makes us come back, our attempts in the url section take us back to a file. Since we do not know which files are sorted in the system of the website we are linking to, we aim to come back in this way and reach the destination file "etc/passwd" file.
We experimented with the form of and reached the result in the target file.
In addition, sometimes ".. Some precautions can be taken against /" signs. This does not mean that it is not open , it can enable us to circumvent some measures by encoding.
There are many tools to make this pentest easier, and we will try to make it easier by using the dotdotpwn tool.
Since there is no dotdotpwn in the new update of Kali Linux, we downloaded it from github and we saw the following functions by running it in the form of ./dotdotpwn.pl to learn the advantages it provides us.
We experimented with the form of and reached the result in the target file.
In addition, sometimes ".. Some precautions can be taken against /" signs. This does not mean that it is not open , it can enable us to circumvent some measures by encoding.
There are many tools to make this pentest easier, and we will try to make it easier by using the dotdotpwn tool.
Since there is no dotdotpwn in the new update of Kali Linux, we downloaded it from github and we saw the following functions by running it in the form of ./dotdotpwn.pl to learn the advantages it provides us.
RUNNING A SAMPLE TOOL
./dotdotpwn.pl -m http –h 10.0.2.4/bWAPP/directory_traversal_1.php?page=message.txt
We can reach the conclusion in the form of.
Dirbuster
In this section, it allows us to reach the file we want in the same way, for example.
I want to access the images file, I can try in the same way here, so if we turn this into a tool, Owasp's prepared
With the Dirbuster tool, we test the files that can be found on the website server.
As I mentioned in the image 1. URL to section , 2. I place the txt file in the section where we will experiment. And I say start.
And after I start, I come to the result list view, where dirbuster brings us the results of his trials. Here we can reach a few conclusions by looking at the lenght length of the response response and see many files on the site that have been forgotten to be blocked.
We can reach the conclusion in the form of.
Dirbuster
In this section, it allows us to reach the file we want in the same way, for example.
I want to access the images file, I can try in the same way here, so if we turn this into a tool, Owasp's prepared
With the Dirbuster tool, we test the files that can be found on the website server.
As I mentioned in the image 1. URL to section , 2. I place the txt file in the section where we will experiment. And I say start.
And after I start, I come to the result list view, where dirbuster brings us the results of his trials. Here we can reach a few conclusions by looking at the lenght length of the response response and see many files on the site that have been forgotten to be blocked.
Related Security Activities
How to Avoid Path Travelsal Vulnerabilities
All but the simplest web applications, images, themes, other scripts, etc. It should include local resources, such as Each time a resource or file is added by an application, there is a risk that an attacker could include a file or remote resource that you did not authorize.
How do you know if you're vulnerable?
Make sure that you understand how the underlying operating system handles the file names that are assigned to it.
Do not store sensitive configuration files in the web root
For Windows IIS servers, the web root should not be on the system disk to prevent a recursive fallback to the system directories.
How to protect yourself?
Prefer to work without user input when using file system calls
When making or using language files, use directories instead of the actual parts of the file names (i.e. value 5 on user submission = Czechoslovak)
Make sure the user can't provide all parts of the road – surround it with your path code
Verify user input by accepting only known products – do not sanitize data
Use chrooted jails and code access policies to restrict where files can be retrieved or saved.
If forced to use user input for file operations, normalize the input before using it in file io APIs such as normalize().
