Path traversal attacks may cause your sensitive data to be leaked. This attack relies on adding “../“ or similar sequences, so the application accesses files outside their specified root.
WARNING: We’re not responsible for damage caused by path traversal attacks! Malicious hacking is a computer crime and you may face legal consequences! This post is meant to gain awareness about path traversal attacks and give a way to prevent those vulnerabilities.
The impact of path traversal attacks
Path traversal attacks may cause leakage of:
- Application code and data
- Credentials for the application
- Sensitive operating system files
- Other sensitive data
In some cases, an attacker might be able to write to arbitrary files, which may lead to data loss, broken web applications, and even seizing the control of the server by the attacker.
Example: a static web server written in JavaScript
Let’s take the vulnerable server from our tutorial for a static web server running on Node.JS:
1 | //WARNING!!! PATH TRAVERSAL |
Let’s assume the web root is in /home/user/server/
. If the request URL is /robots.txt
, then the web server retrieves data from /home/user/server/robots.txt
file and will return the contents of robots.txt
file.
But what if the request path was /../../../../../../../../etc/passwd
? In this case, the web server goes back to parent directory multiple times, and retrieves the data in /etc/passwd
file outside the web root. The /etc/passwd
file contents are leaked!
Sometimes, there is protection that works on ../
sequences but fails with one of these sequences:
..\
..%2f
(represents../
)%2e%2e%2f
(represents../
)%2e%2e/
(represents../
)..%5c
(represents..\
)%2e%2e%5c
(represents..\
)%2e%2e\
(represents..\
)%252e%252e%255c
(double URL encoding; represents..\
)..%255c
(double URL encoding; represents..\
)..%c0%af
(represents../
)..%c1%9c
(represents..\
)....//
(nested path traversal sequence)....\\
(nested path traversal sequence)
and so on. The \
character is a path component separator in Windows (in many other OSes, like GNU/Linux, the separator is /
).
Path traversal attack prevention
You can prevent path traversal attacks by using a path sanitizer, by normalizing paths or by simply removing path traversal sequences. It is also important, that path sanitation bypass sequences shown above are removed as well. Ensure, that URLs with double URL encoding are not decoded back to ../
or ..\
sequences.
The fixed server from the example above is as follows:
1 | var http = require("http"); |
The fixed server will first replace every “" character with “/“. Then it will remove “%00” and null bytes. Later it will remove “../“ and “./“ sequences. Finally it removes duplicate slashes.
Let’s try /../../../../../../../../etc/passwd
sequence! First, the path name is obtained from the request URL. Then the path name gets decoded to /../../../../../../../../etc/passwd
. Later the path name is sanitized to /etc/passwd
. The server will later try to access /home/user/server/etc/passwd
file; at least it is not accessing /etc/passwd
file outside the web root.
What about bypasses? Let’s try /..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd
! The path name is obtained from the request URL, but the decoding fails, as decodeURIComponent
JavaScript function will throw “URI malformed” error. Then the error gets caught, and the server responds with 400 Bad Request HTTP status code.
You can use a path sanitizer (the example is written in JavaScript and used by SVR.JS itself; view the source), as shown below:
1 | // SVR.JS path sanitizer function |