Path traversal vulnerability and how its different types of manifestation

Tags

Path traversal, also known as directory traversal, is a common security vulnerability that can allow attackers to read arbitrary files on a server. Below is a list of general ways path traversal can be exploited to achieve this:

1. Basic Path Manipulation

  • Using ../ sequences to traverse up the directory tree to reach sensitive files.
    • Example: /app?file=../../etc/passwd
  • Variations:
    • Encoding ../ as %2e%2e%2f or %2e./ to bypass simple filters.

2. Encoding Techniques

  • URL Encoding: Encode special characters.
    • Example: %2e%2e%2f (for ../)
  • Double URL Encoding: Encode the URL-encoded sequences again.
    • Example: %252e%252e%252f (for ../../)
  • Unicode Encoding: Using Unicode representations of special characters.
    • Example: ..%c0%af or ..%e0%80%af (for ../)
  • Base64 Encoding: If the application decodes base64 input.
    • Example: Li4vLi4vZXRjL3Bhc3N3ZA== (Base64 for ../../etc/passwd)

3. Null Byte Injection

  • Using a null byte (%00) to terminate a string in poorly written languages or frameworks that use C-style string termination.
    • Example: /app?file=../../etc/passwd%00.png
  • Null bytes can sometimes trick the server into processing passwd instead of passwd.png.

4. Alternate Path Encoding

  • Using alternate encodings of directory separators to bypass filters:
    • Windows: \ (backslash)
    • URL-encoded: %5c (for \)
    • Unicode: \u2215 (slash) or \u202f
    • Mixed separators: ..\/..\/..\/
  • Exploiting symbolic links that point to sensitive files.
    • Example: /app?file=symlink_to_/etc/passwd
  • Attackers can create malicious symbolic links during temporary file upload scenarios.

6. Chained Vulnerabilities

  • Combining path traversal with another vulnerability.
    • Example: File upload combined with path traversal to upload malicious symlinks or overwrite server files.

7. Traversal in Remote Includes

  • If a file inclusion function is vulnerable to path traversal.
    • Example: include("../etc/passwd");

8. Case Sensitivity Exploitation

  • Bypassing filters by changing case sensitivity (on case-insensitive systems).
    • Example: ..%2e%2e%2fEtC/pAsSwD

9. Contextual File Inclusion

  • Accessing configuration or backup files stored in predictable paths.
    • Example: /app?file=../../app/config.bak

10. Path Traversal with Wildcards

  • Using wildcards (* or ?) to guess or include unintended files.
    • Example: /app?file=../../etc/*

11. Traversal Inside Zip Archives

  • Exploiting path traversal within compressed files during extraction.
    • Example: Uploading a zip file containing ../../etc/passwd.

12. Environment Variable Manipulation

  • Manipulating file paths through environment variables.
    • Example: Setting TEMP=/../../etc/passwd and triggering a vulnerable operation.

13. Virtual File Systems

  • Exploiting virtual file systems like php://filter, file://, or zip://.
    • Example: php://filter/read=convert.base64-encode/resource=/etc/passwd

14. Misconfigured APIs

  • Exploiting APIs that do not sanitize file path inputs.
    • Example: API endpoints using file paths directly: /api/readFile?path=../../etc/passwd

15. Overwriting Application Logic

  • Overwriting critical files that control application behavior:
    • Example: Overwriting .htaccess or configuration files.

16. Windows-Specific Exploits

  • Exploiting Windows drive names.
    • Example: C:\Windows\System32\drivers\etc\hosts
  • Using alternate data streams (ADS).
    • Example: C:\file.txt::$DATA

17. Using Reserved Device Files

  • Accessing special device files for data exfiltration.
    • Example (on Linux): /dev/zero, /dev/null
    • Example (on Windows): CON, NUL, PRN

18. Path Normalization Bypass

  • Exploiting flawed path normalization logic in applications.
    • Example: Double traversal sequences: /app?file=..%2f..%2f..%2fetc/passwd

19. Exploiting Logical File Inclusion

  • Manipulating file inclusion mechanisms to read unintended files.
    • Example: Using a language construct like file_get_contents() in PHP.

20. Misuse of Backup or Temporary Files

  • Exploiting backup file locations or predictable temporary files.
    • Example: /app?file=../../etc/passwd~ or /app?file=../../tmp/passwd_copy

21. Traversal in Interpreted Files

  • Including traversal payloads in interpreted files, such as XML or JSON.
    • Example: <filePath>../../etc/passwd</filePath> in an XML input.
LinkedIn Reddit