DIRECTORY / PATH TRAVERSAL ATTACK
1 - Directory/Path Traversal attack
- Directory traversal or Path Traversal is an HTTP attack which allows attackers to access restricted directories and even execute commands outside of the web server’s root directory:
https://www.acunetix.com/websitesecurity/directory-traversal/
- This vulnerability can exist either in the web server software itself or in the web application code.
- In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system.
- With a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system.
- This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.
- The "../" characters are used by most Operating System to refer the previous folder or directory.
- The "../" characters represent a directory traversal, and the number of “../” sequences depends on the configuration and location of the target web server on the victim machine.
2 - Example 1: DVWA running at an Ubuntu Linux machine
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6onMczzrX5LdpoHSiNWdVf2du7QY7zo84SAj_wgMc-CR4KxFdi2FypWEVMxEXNiKVFUbysL_dts22-AH0N60cgejJwI6yStdj6_3bS4Yu-2M8OxlVO0Y2_jbY3_OnY3c018PXYm3T5OCO/s400/screenshot.54.jpg)
- Let's perform one example with the DVWA vulnerable machine running at an Ubuntu Linux machine:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRdIAY5O9FObSyYEnRaNZ3K6_383dAd0SJRHnaUr-HxZN-OcOh2RLEPkc5z00V3ZBHTbOGji6GFq5oKThA9F62kdbL7437HlZD0YRk0Paw7DS-10q8oT8dix66MGoy4YazFv41P56blaM5/s1600/screenshot.8.jpg)
- In this example 3 strings of "../" are used to display on the screen the contents of /etc/passwd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSPOkf_tMxwQyiPIN6vTpRi2YZK_L-jcim5x0Sd_jmkCl8-MqpYL_DdB2GnEzWit2i6fBDO_vMZcgoIwUlyvOmr1c-ckon3aW6oO2i_HWZYS68gEq5NL7EldBVDn2MOsfXRWB9XV7buc0h/s1600/screenshot.9.jpg)
- In the next example let's suppose that the server stores a text file at the Desktop:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr_Z421gsi-B2oGUTEI_lSbHWjhyphenhyphenyaIXnrzaIcW1OLx5IGPJJz3JL9hug-N0ljB5pS-Y6vOMeMC9mfZbfobeolfu5k-2p5oXWMoIK5GwP1cQCE9a0RxPGk0skBam9lp_4YNmYlbL5yt8xj/s400/screenshot.33.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj12uAZOfmyIjQxeGNVWcYw9veLkozG_CskjYwU0yzlOYrFGOTRRCbLJQsu6IgbcTdrjiXQFkET7QgwlVflc23tD47MWOTzv5_ue0xRfWhRf34bFW3fPCpE0sQ-uwpV66uTNKkrGU1TYZkc/s1600/screenshot.32.jpg)
- Entering the string /../../../ and the corresponding path the content of the text file is revealed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-pIsc2b1y9lYmV9NAuAbJqkLfxLxKhyphenhyphenXVR3IvrlNMsEothUyoaI2Q8twm04QoNAY_F_xjb8hCeXEWFxCob1OZD-VW78juuhQrGBauwBvPkI5lUI5YR8jTOfjMLBWj5htOBB4-Si6_XZzT/s1600/screenshot.11.jpg)
3 - Example 2: DVWA running at a Windows machine
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjoErwT86ZNhkbkZNwlDwqjCGQtvOAmnW99UzVlp1vN91R0RLhp5GLa45T1pptgJM4BkwY7PF_L7MKm99O620sgBQAm5GcSZbT3DqFpyWD1SZc5ZP58yYYeufx6x_Baj0d6H5BRuo3Ug0t/s400/screenshot.2.jpg)
- In this case we are looking for the win.ini file, what is a Windows system file used with Microsoft Windows that loads settings from the C:\Windows directory each time Windows boots:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoIRnwmxa6QRqs7hNPKF5sOMbzgpGi8acx7wGk-Sk-rzTtgpJUWJ2qgDJiHPkRfSWMSULfBviT0EGYCQRGOEEp9vPASuIa-W_h6iW2_g0F-bH8f2XFe2G6J-EeVmtkzyw4Pd89mBY6WzYb/s1600/screenshot.51.jpg)
- Now, going even to something more confidential, let's suppose that there is a file at the Desktop containing usernames and passwords:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3EZSRFMJ_BVpXfS75p6omtRW5G5U-09R3CgGk6YIeNCOCq86G-V7GWFVzg8xVNXYp86WzAbR1nG7T7a3Mj-xEk2r1I0Z-xZ-k_eEUlfxhbdL_HrWI8JSm0EBll9ZpXE6qDUqzI9m7i9Gt/s400/screenshot.53.jpg)
- Traversing the path up to the Desktop and entering into the URL, the content of the file can be revealed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR_wsPC8ds-d8K0ec_nKBYZGrlhyIe9QZom9loRiOL1x57CHm9TPWmCUq1eKltepDjh46c8sC4DwlCCU_op6okNnSIprYWlCSxrH1O4fwoGL1sGYJtquuRtzwTvOh7e69rgEwJZueK1iLC/s1600/screenshot.52.jpg)