DIRECTORY / PATH TRAVERSAL ATTACK
1 - Directory/Path Traversal attack
- Directory traversal or Path Traversal is an HTTP attack which allows attackers to access restricted directories and even execute commands outside of the web server’s root directory:
https://www.acunetix.com/websitesecurity/directory-traversal/
- This vulnerability can exist either in the web server software itself or in the web application code.
- In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system.
- With a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system.
- This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.
- The "../" characters are used by most Operating System to refer the previous folder or directory.
- The "../" characters represent a directory traversal, and the number of “../” sequences depends on the configuration and location of the target web server on the victim machine.
2 - Example 1: DVWA running at an Ubuntu Linux machine
- Layout for this exercise:
- Let's perform one example with the DVWA vulnerable machine running at an Ubuntu Linux machine:
- In this example 3 strings of "../" are used to display on the screen the contents of /etc/passwd:
- In the next example let's suppose that the server stores a text file at the Desktop:
- Entering the string /../../../ and the corresponding path the content of the text file is revealed:
3 - Example 2: DVWA running at a Windows machine
- Layout for this exercise:
- In this case we are looking for the win.ini file, what is a Windows system file used with Microsoft Windows that loads settings from the C:\Windows directory each time Windows boots:
- Now, going even to something more confidential, let's suppose that there is a file at the Desktop containing usernames and passwords:
- Traversing the path up to the Desktop and entering into the URL, the content of the file can be revealed:
