**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
Path traversal, also known as directory traversal, is a type of vulnerability that allows an attacker to read arbitrary files on the server running an application.
Why does this happen?
- Insufficient Input Validation: Applications fail to sanitize user inputs, allowing attackers to use special characters like ../ to traverse directories. This happens when inputs are directly concatenated into file paths without checks.
- Improper Access Control: Weak or missing access controls allow attackers to access restricted files or directories. For example, the system may not enforce proper file access permissions or directory restrictions.
- Web Server Misconfigurations: Misconfigured servers, such as enabled directory listings or lack of sandboxing, expose the file structure. Attackers can exploit this to navigate to sensitive files outside the intended directory.
The impact:
- Application code and data: Attackers can access the source code and data files of the application, potentially exposing sensitive business logic or user data.
- Credentials for backend systems: Attackers might find configuration files containing usernames, passwords, or API keys used to access databases and other backend systems.
- Sensitive operating system files: Critical system files such as /etc/passwd on Unix-based systems or C:\Windows\System32\config on Windows can be exposed, potentially revealing system configurations and user information.
Walkthrough: File path traversal
Let’s assume an application contains a path traversal vulnerability in the display of product images. Now, we want to retrieve the contents of the /etc/passwd file by exploiting the path traversal vulnerability.
- Send the request that fetches a product image to the repeater.
a. Open the homepage of the application.
b. In the Burp suite, open proxy tab and go to HTTP history.
c. If you do not see any image requests, click on Filter Settings. In Filter by MIME Type, tick the image checkmark.
d. Now you will be able to see the image requests.
e. Send any image request to the repeater.
- Modify the filename parameter, giving it the value:
../../../etc/passwd
Now we can observe – all the contents of /etc/passwd file in the response.
Evading WAF in Path Traversal Attacks
When exploiting path traversal vulnerabilities, attackers often encounter Web Application Firewalls (WAFs) designed to detect and block malicious input. However, evasion techniques can bypass such defenses. Two common methods are:
1. Encoding and Double Encoding
WAFs often look for common patterns like ../ in inputs, but these can be disguised using encoding techniques:
URL Encoding: Replacing ../ with its encoded representation %2E%2E%2F can bypass basic filtering mechanisms.
Double Encoding: Further obfuscation involves encoding the already encoded input, e.g., %252E%252E%252F, making it harder for the WAF to recognize the malicious intent.
Example: A request with ../../../etc/passwd will not succeed or get blocked here in a web application similar to what we performed earlier.
But it might succeed using encoding as %2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 or double encoding as %25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34.
2. Using Null Byte Character (%00)
Null byte injection can terminate string processing in some backend systems, bypassing sanitization checks:
How It Works: If the application filters or restricts file extensions (e.g., .jpg or .png), appending a null byte (%00) after the intended file path tricks the system into ignoring the extension.
Example: Use of ../../../etc/passwd in non-encoded or encoded format in a similar web application is blocked ( as shown here bad request)
An attacker may use ../../etc/passwd%00.png. While the WAF sees a harmless .png, the null byte stops further processing at passwd, enabling file access.
To prevent path traversal vulnerabilities, avoid passing user-supplied input to filesystem APIs. If necessary, validate input against a whitelist or permitted characters, canonicalize the path using filesystem APIs, and ensure it starts with the expected base directory. This layered defense minimizes the risk of unauthorized file access.
Summary Points
- What is Path Traversal?
- A vulnerability allowing attackers to access arbitrary server files by manipulating file paths (e.g., using ../).
- Why It Happens:
- Poor Input Validation: Unsanitized user inputs.
- Weak Access Control: Unrestricted file/directory access.
- Server Misconfigurations: Exposed file structures (e.g., directory listings).
- Impact:
- Access to application code, credentials, and sensitive OS files (e.g., /etc/passwd).
- Exploitation Steps:
- Intercept requests (e.g., using Burp Suite).
- Modify file paths (e.g., filename=../../../etc/passwd).
- Retrieve sensitive files.
- WAF Evasion Techniques:
- Encoding: Use %2E%2E%2F for ../.
- Double Encoding: Use %252E%252E%252F.
- Null Byte Injection: Append %00 (e.g., ../../../etc/passwd%00.png).
- Prevention:
- Validate and sanitize user inputs.
- Restrict file access using whitelists.
- Canonicalize paths and enforce base directory checks.
