Directory Traversal Attacks Test Scenarios.

Directory Traversal attack is a web security vulnerability which allows attacker to gain access to arbitrary files and Directories on the server which are restricted by the users.

Directory Traversal attacks is also known by Path Traversal attack, Dot-Dot Slash Attack, Directory climbing and Backtracking attacks.

How it is Caused:

Directory Traversal attacks is caused by insufficient input validation and sanitization of user supplied input, such as characters like (../../)

Severity of this attack:

Depending on the impact caused, the severity can be Low, Medium and High.

Impact of this Attack:

An attacker can read arbitrary files on the server. This might include credentials from backend system, Sensitive files from Operating system, Application source code, Server logs, and other files containing sensitive information. If combined with file upload functionality, these attacks can lead to Remote code Execution.

Testing Methodology:

These attacks can be tested using manual approach by using proxy tool like Burpsuite. Automated Scanning tools such as Burpsuite Scanner, Acunetix, Netsparker, Qualys, etc also detects such kind of attacks.

Test Case Scenarios:

Test case scenarios is performed with the help of portswigger labs wherein ‘filename’ parameter is vulnerable to Path Traversal attacks due to use of Improper input validation.

Tool used : Burpsuite.

Case 1 : Simple Case

Payload : filename=../../../etc/passwd

Case 2: Traversal sequence blocked with absolute path bypass.

Payload : filename=/etc/passwd.

Case 3 : Traversal sequences stripped non-recursively.

Payload: filename=….//….//….//etc/passwd

Case 4: Sequence stripped with URL Decode.

Payload: filename= ..%252f..%252f..%252fetc/passwd

Case 5: Validation of start of the path.

Original request : filename=/var/www/images/11.jpg

Malformed request with payload: filename=/var/www/images/11.jpg../../../etc/passwd.

Case 6: Nullbyte bypass

Payload: filename=../../../etc/passwd%00.jpg

How to prevent Directory traversal attacks:

1) The most effective way to prevent these kind of attacks is proper validation and sanitization of user supplied input in the application. The validation should compare against whitelist of permitted values or content such as purely alphanumeric characters.

2) Beyond this, filters can be used to block certain user input by blocking commands and escape code that is commonly used by the attackers.

3) Ensure that up-to date web server software is used with current patches. Regularly patching software is a best practice for reducing security risk, as software patches typically contain security fixes.

References: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/README.md