Detecting Directory Traversal Attacks

What is Directory Traversal?

Directory traversal is an attack type that the attackers leverage often to access files and directories that are stored outside the web server's root directory. It involves manipulating input to be able to access files on a web server that are actually not intended to be accessible by unauthorized users. This type of attack is also known as the "dot-dot-slash" attack, and it can be used to gain unauthorized access to sensitive data or execute arbitrary code on a web server.

For example, let's say a web application uses the following URL to display user profile pictures:

http://example.com/profiles/picture.php?name=user1.jpg

An attacker can leverage directory traversal attack to access files outside of the intended directory by adding ../ to the URL. For instance, they could use the following URL to access a file outside of the profiles directory: http://example.com/profiles/picture.php?name=../../etc/passwd

This would give the attacker access to sensitive system files, such as the password file.

Actually, at first look, it's pretty similar to a Local File Inclusion vulnerability. The main difference between the directory traversal and LFI is the source of the input. Directory traversal involves in manipulating the input that is used to access files on a web server, whereas LFI involves in manipulating input that is used to include local files within a web application.

In a local file inclusion vulnerability, an attacker can use user input to include a file from the local file system into the web application. This can allow the attacker to execute arbitrary code on the server to access the sensitive data.

For example, consider a web application that includes a file based on user input, such as include($_GET['page']). An attacker could manipulate the page parameter to include a sensitive file on the server, such as ../../../../etc/passwd. This would allow the attacker to read the password file and gain unauthorized access to the system.

In contrast, directory traversal vulnerabilities allow attackers to access files outside of the web application's root directory. This can also allow them to execute arbitrary code or access sensitive data, but the attack vector is different.

Directory Traversal Possible Vectors

Directory traversal attacks can occur through various attack vectors, including:

1. User input: Attackers can manipulate user input parameters, such as URLs, file paths, and form fields, to access files outside of the intended directory. This can be done by adding "../" or other special characters to the input.
2. Cookies: If a web application stores user data in cookies, attackers can try to manipulate the cookie value to access files outside of the intended directory.
3. HTTP headers: Attackers can manipulate HTTP headers, such as the Referer or User-Agent header, to access files outside of the intended directory.
4. File upload: If a web application allows file uploads, attackers can upload malicious files that contain directory traversal attacks.
5. Direct requests: Attackers can try to access files and directories directly by guessing or brute-forcing the file names or paths.
6. URL manipulation: Attackers can try to manipulate the URL of a web application to access files outside of the intended directory. For example, they can add "/../" to the URL to go up one directory level.
7. Malicious links: Attackers can send users malicious links that contain directory traversal attacks. When the user clicks on the link, the attack is executed on their computer.