TYPES OF DIRECTORY TRAVERSAL ATTACKS
- URI encoded directory traversal
- UNICODE/UTF-8 encoded directory traversal
- ZIP/ARCHIVE traversal attacks
URI encoded directory traversal
Some websites scan for the Query Strings such as dot dot backward slash (../) or dot dot forward slash (..\) or dot dot (..) to prevent directory traversal attacks. But if we look on how are these query processed then we find out that they are URI encoded, therefore they are vulnerable to percent encoded directory traversals such as:- %2e%2e%2fwhich translates to ../
- %2e%2e/which translates to ../
- ..%2fwhich translates to ../
- %2e%2e%5cwhich translates to ..\
UNICODE /UTF-8 encoded directory traversal attacks
When Microsoft added Unicode support to their web server a new way of directory traversal attack was generated. Attackers had a new way of encoding the dot dot slash ( ../ ) ,multiple percent coding such as :- %c1%1c
- %c0%af
ZIP/ARCHIVE TRAVERSAL ATTACKS
This type of attack is carried out by providing a zip or archived file which can overwrite the files on the File System enabling backtracking. Code that decompress archive files can be written to check that the paths of the files in the archive do not engage in path traversal.EXAMPLE OF DIRECTORY TRAVERSAL ATTACK
The URL which can be attacked can be of the following type:http://www.somewebsite.com/itemone.php?page=notification.php
Now let’s assume that the webserver is running on UNIX like operating system. Then there will be a directory 'etc' on unix/linux which contains configuration files of programs that run on system. Some of the files are passwd, shadow, profile, sbin, placed in 'etc' directory, etc is generally the default folder so can be found out at certain level of hierarchy in file system.
Now to check for the directory traversal attack we need to do some adjustment in the given URL, we need to alter its path to the desired directory.
http://www.somewebsite.com/itemone.php?page=../../../../etc/passwd
The dot dot slash(../) will take you up the directory one level each time, so it totally depends upon the hierarchy as to how much dot dot slash (../) you will be needing in order to reach to the desired location.
If you reach the desired location, which means the passwd file you will get the contents of it which can give out valuable information such as username and password.
IMPACT OF DIRECTORY TRAVERSAL ATTACK
This attack can leak out the sensitive data stored in different folders which is not meant to be viewed by the public such as username and passwords. Using the data the attacker can get the administration as root and exploit the web server accordingly.The attacker can erase, edit or sell the gathered data which would be a greater breach. Also the attacker can install some malicious programs such as malware, virus, backdoors, rootkits.
Attackers can also download files from the server and execute commands and expose the source code which may lead to more number of attacks.
CONCLUSION
As we can see the severity of the attack and its highly undesired impact, one should take all the measures to protect himself or herself from this attack. These measures can be updating the Web Server regularly and patching all known vulnerabilities as soon as possible.Also the data can be kept on different drive as traversing to other drives is not possible through this type of attack. Effectively filter any user input. Ideally remove everything but the known good data and filter Meta characters from the user input.
WebsitePentest:
We, Brisk Infosec provide website security services for any organizations. Guarantee for securing your websites from any vulnerabilities and attacks with ethical touch. We offer $99 for website security services. Website security organizations are like a black cat in a coal cellar, very hard to find. Brisk Infosec is one among them with more professional security analyst, who provides services in economical fixed prices and most importantly a trustworthy organization.Reach us websitepentest@briskinfosec.com
- You no need to pay if you not vulnerable
- You no need to pay before testing
- We just need your website with official conformation.
Still thinking to reach us? Well, there is an high probability of an intruder already found a loop to get into your website by now! “Before they starts, we will stop and secure you!!”,Hurry and send us email.
Posts
