What is
Path Traversal

stackhawk

StackHawk|May 5, 2022

In this blog post, we'll cover what path traversal is and how it works. We'll also look at how you can avoid these kinds of attacks.


Cyberattacks don't come in just one form or fashion. Cyberattackers use several different techniques and avenues to breach security. One of the most popular is path traversal. In this blog post, we'll cover what path traversal is and how it works. We'll also look at how you can avoid these kinds of attacks.

What is Path Traversal? image

What Is Path Traversal?

A path traversal (or dot-dot-slash) attack is a malicious attempt to trick a web application into displaying the contents of a directory other than the one requested by the user and gain access to sensitive files on a server. For example, if a user should be viewing an image called abc.jpeg but the web application is tricked into displaying the files in /var/www, the attacker will have successfully performed a path traversal attack.

The attacker may be able to access files that should only be accessible to the web server's owner, such as .htaccess files or files containing configuration or authentication data.

What Kind of Security Breaches Can Path Traversal Result In?

Suppose a site is vulnerable to path traversal. In that case, an attacker will be able to read sensitive files, such as application source code containing usernames and passwords, database credentials, and even private encryption keys. Hackers will be able to write data to arbitrary files in some cases, allowing them to upload a back door to the site, to upload malicious files that are automatically executed, etc.

What Happens When a Path Traversal Attack Executes?

Path traversal is a method of accessing files and directories stored outside the webroot folder.

Using a typical example, let's look at how path traversal works under the hood.

Let's say a user is using an online shopping app that creates an invoice every time they shop. When accessing the invoice, the URL looks like this:

https://www.shopping.com/user/invoice?name=order1

The name here denotes the name of the PDF invoice that the server needs to send. When the server receives the file's name, it adds the working directory and the file extension to the name of the file (/var/www/invoices/order1.pdf), gets the file from the server and sends it back. If the attacker replaces the filename order1.pdf with something malicious like../../etc/passwd, the application will return the requested file's content if the proper controls are not in place.

What Conditions Are Required for a Successful Path Traversal Attack?

A path traversal attack is a type of attack that allows a hacker to traverse through directories and read or write any file on the system. A hacker can carry this out by exploiting insufficient input validation techniques. To be able to carry out a path traversal attack successfully, a hacker needs to meet any of the following conditions: 

1. Lack of Relative Path Checking

The most frequently used technique to exploit the directory traversal vulnerability is to use a relative path appended to a vulnerable parameter. If the parameter is not sanitized correctly, the attacker can read arbitrary files from the system.

2. Validating File Extensions Only

File extension validation is a popular way to fix the problem. However, a lot of people miss how dangerous this can be. File extension validation is never a substitute for checking if the parameter is trying to access another file of a different format and can easily be bypassed using Null Byte at the end of the file. 

3. Escaping Dot-Dot-Slash (Improper Implementation)

Some developers try to escape or replace only the ../ from the string, but this is not a proper fix, and it can be bypassed by encoding the escaped characters. In this case, the ../ can be encoded and passed via the URL (for example, from: http://www.example.com/?invoice=../../../../../../../../../tmp/xyz.txt  to http://www.example.com/?invoice=../../../../../../../../../tmp/xyz.txt?%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/tmp/xyz.txt.).

Now that you understand the conditions required to perform a path traversal attack, let's look at different ways in which hackers can perform this attack.

Different Ways to Perform a Path Traversal Attack

A hacker can perform a path traversal attack by manipulating the file path on the webserver and exploiting its weak security.

Below are the most common methods:

1) Using a relative path. This attack adds a file or folder path relative to the current working directory. For example, if the current working directory is /home/user/public_html, an attacker can upload malicious code such as ../../../../../../../../../../../../../../../etc/passwd  to access the /etc/passwd file. 

2) Encoding escaped characters. This attack encodes special characters using URL encoding. For example, the attacker can use %2e%2e/%2f to add a / after every two dots. 

3) Using a Null Byte attack: This attack uses a Null Byte (\x00) to bypass a path's regular validation. For example, the attacker can add \x00 in the directory name to bypass the validation by breaking the regular expression. This is also known as Null Byte injection.

Secure Code Snippets to Avoid Path Traversal Attacks

Though path traversal attacks have been around for a long time, they're still a viral attack vector. This is because they're easy to launch and can be applied in several situations. 

Below are some JavaScript secure code snippets that can help you avoid such attacks.

1. Normalize the file path.

const normalizeFilePath = (filePath) => {
    // If filePath is a relative path, convert it to an absolute path
    let normalizedFilePath = path.normalize(filePath).replace(/^(\.\.(\/|\\|$))+/, '');
 
    if (normalizedFilePath.endsWith(path.sep)) {
        // Remove trailing path separator if present
        normalizedFilePath = normalizedFilePath.slice(0, -1);
    }
}
2. Make sure the validating string is alphanumeric.
const checkStringAlphaNumeric = (str) => {
    // Check if string is alphanumeric
    return /^[a-zA-Z0-9]+$/.test(str);
}
3. Check if URL encoded characters are present.
const checkIfURLEncodedPresent = (filePath) => {
    // Check if URL encoded characters are present
    return /%[0-9A-F]{2}/i.test(filePath);
}

The code snippets above are for JavaScript, but what about other programming languages? Let’s look at some standard best practices to avoid path traversal vulnerabilities.

Primary Methods of Preventing Path Traversal

By now, you should have a pretty good idea of what a path traversal attack is. You know that it involves a malicious attacker trying to access a part of your website that should never be accessed.

Let's cover some of the ways you can prevent path traversal, secure your web server, and keep your web application safe.

1. Normalize the file path. 

2. Avoid using high-privilege users. 

3. Update the version of your programming language and web server regularly.

4. Escape special characters (even if you've already URL encoded them). 

5. Try not to rely on user-supplied file paths.

Although path traversal is a critical vulnerability, it's not the only vulnerability that hackers exploit, so writing secure code is essential. Let's have a look at some helpful tips.

Four Helpful Tips to Avoid Security Vulnerabilities

Security vulnerabilities can be present in any software. However, web applications are more vulnerable because they're online. Therefore, keeping them secure is essential.

Here are four tips: 

1. Keep Your Software Up to Date

One of the most essential best practices is keeping your software up to date and updating it as soon as a new patch is released. 

2. Automate Testing for Security Vulnerabilities in the Build Pipeline

The build pipeline is a vital part of the DevOps process. It allows the development team to compile the newly developed code and push it out to the production servers. However, this process can be pretty vulnerable, especially if you haven't configured it correctly.

That's where theStackHawk's DAST Scanner comes in. You can integrate it with CI/CD pipelines, which allows you to automate the scanning process and discover vulnerabilities as early as possible, including path traversal, SQL injection, cross-site scripting, etc.

3. Enforce a Strong Password Policy

This is a simple step many businesses overlook.

Requiring complex passwords that an attacker cannot easily guess is essential.

If you haven't yet created a password policy for your business, you should do so immediately.

4. Use SSL Certificates

HTTPS is a protocol that encrypts data as it passes between a user and the server, ensuring that no one can intercept it. 

Automated API security testing in CICD

Conclusion

We wrote this blog post to provide you with the most comprehensive yet easy-to-understand information about path traversal vulnerabilities and what you can do to fix them. We hope you've found it helpful and that you'll take advantage of StackHawk's DAST Scanner to make sure your application is free of this vulnerability. If you have any questions or concerns, don't hesitate to contact us. Thanks for reading!


StackHawk  |  May 5, 2022