introduction to path traversal attack
TRANSCRIPT
freegoogleslidestemplates.com
Path TraversalPrashant.HegdeAmith.GugihalAkshay.Tadapatri
An Introduction
DOT-DOT-SLASH DIRECTORY TRAVERSAL DIRECTORY
CLIMBINGBACKTRACKING
● A path traversal attack aims to access files and directories that are stored outside the webroot folder. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
● To access files or execute commands anywhere on the file-system, Path traversal attacks utilize the ability of special characters sequences.
WHAT IS PATH TRAVERSAL ATTACK?
WHAT IS A DIRECTORY?● In computing, a directory is a file system cataloging structure
which contains references to other computer files, and possibly other directories.
● The top-most directory in such a filesystem, which does not have a parent of its own, is called the root directory.
● Root Directory – This directory is located in the server file system and users simply can’t access sensitive files above this root. One such example is the sensitive cmd.exe file on Windows platforms, which rests in the root directory that not everyone can access.
ROOT DIRECTORY
sdgfgdffffffffffffff
● The “..” instructs the system to go one directory (or folder) up.For example : we are at this location C:/Apps/GamesNow on typing “../”, we would reach C:/Apps
To access files or execute commands anywhere on the File-system, Path Traversal attacks will utilize the ability of special-characters sequences.
What does ../ or .. (dot dot slash) mean?
Encoding and double encoding● Most web servers prevent ‘../’ technique from escaping the web
document root, alternate encodings of the "../" sequence may help bypass the security filters
● These method variations include valid and invalid Unicode-encoding ("..%u2216" or "..%c0%af") of the forward slash character, backslash characters ("..\") on Windows-based servers, URL encoded characters "%2e%2e%2f"), and double URL encoding ("..%255c") of the backslash character
● This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It's possible because the web server accepts and processes client requests in many encoded forms.
%2e%2e%2f ../
%2e%2e/ ../
..%2f ../
%2e%2e%5c ..\
%2e%2e\ ..\
..%5c ..\
%252e%252e%255c ..\
..%255c ..\
Encoding and double encoding
%2e = .%2f = /%5c = \%252e= .%255c = \
● There was a serious security vulnerability in the Belkin N150 wireless router that can enable a remote, unauthenticated attacker to read any system File on a vulnerable router.
● Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a path traversal vulnerability through the built-in web interface. The webproc cgi module accepts a getpage parameter which takes an unrestricted file path as input. The web server runs with root privileges by default, allowing a malicious attacker to read any file on the system
TIME FOR
DEMONSTRATION
https://google-gruyere.appspot.com/start
CHALLENGE 11. NAVIGATE TO
2. Find a way to read a File from a running Gruyere server using path traversal.
HINT: it’s a Secret File
https://google-gruyere.appspot.com/start
CHALLENGE 21. NAVIGATE TO
2.Find a way to replace secret.txt on a running Gruyere server.
HINT: You need to create a new user WITH DOTS
How to prevent Path Traversal attacks?
● Don’t store old, sensitive, or otherwise nonpublic files on your web server. The only files that should be in your /htdocs or DocumentRoot folder are those that are needed for the site to function properly.
● The latest versions of the web servers have good directory security by default so, if possible, make sure you’re running the latest versions.
● Effectively Filter any user input. Ideally remove everything but the known good data and filter meta characters from the user input. This will ensure that attackers cannot use commands that leave the root directory or violate other access privileges.
● Remove “..\” and “../” from any input that’s used in a file context.
● Ensure that your web server is properly configured to allow public access to only those directories that are needed for the site to function.
Thank YouFor Your Attention