1. Introduction

In this tutorial, we’ll discuss what is file path transversal attacks, a common and quite treacherous vulnerability. File path or directory transversal attacks are threats that aim to gain access to folders and files that shouldn’t be openly accessible. The usual targets are application source codes and data or even operating system critical files.

2. Path Transversal Vulnerability

In short, the attacker’s goal is to explore the target’s filesystem. This can go from reading files, retrieving source codes and data files, or even operational system critical files such as password hashes. If the attacker can write files, like in uploads, it can be even more dangerous. He can modify the application, deface it, upload backdoors and spurious code, or even create new user credentials on the host by modifying password files. So, applications prone to this attack are those which allow the user to specify a filename (regardless if it is in the URI or POST post query parameters) for some operations. The problem occurs if they don’t check if there are any absolute or relative path assignments on the string. For instance:

http://www.somecompany.com/someapp/download?file= ../../../../../../../../../etc/passwd

In this case, the attacker uses “../” sequences in order to exploit a  download function. The “../” Linux (and the “..\”  in Windows) means “go to the directory from the current path”. That’s the most common pattern for this class of attacks, also known as the ‘dot-dot-dash’ attack. Also, the malicious parameter may try to find relative or absolute paths on the target’s filesystem. And, to make things worse, the “../” can be obfuscated in a number of ways to make it harder to identify the attack attempts. Using encodings variations like:

  • “%2e”, “%252e” (double-encoding) or “%c0%ae” (UTF8 encoding) to place a . (dot)
  • “%2f”, “%252f” (double-encoding) or “%c0%af” (UTF8 encoding) to place a slash (/)
  • “%5c”, “%255c” (double-encoding) or “%c1%9c” (UTF8 encoding) to place a backslash (\)
  • “%3a”, “%253a” (double-encoding) or “%c0%3a” (UTF8 encoding) to place a colon (:)

Last, but not least, some archive formats, such as .zip, also allow path transversal. So, special care must be used if there is any need for archive extraction to the filesystem.

3. Mitigation Path Transversal Attacks

Note that, path transversal vulnerability is one of the usual vectors for ransomware attacks, for instance. It may allow the upload of ransomware code to our application servers. By replacing part of the application code, the next step is just a matter of tricking the server into executing it. Thus, there are some things we can do to properly mitigate path transversal attacks, there are a number of modifications that we can use:

  • Avoid using filesystem access APIs with user-supplied parameters
  • Ensure that the application server runs with restricted permissions, i.e. only can read and write to the required paths and uses access-restricted credentials
  • Chroot your application. The chroot system call traps the application execution context to a specific folder path. That ensures that the application will not be able to read or write files it is not supposed to
  • Validate any user input against the valid patterns. That’s a recommendation that never gets old. Regarding filenames, we must evaluate the filename user parameters to check they are valid within the expected scope

4. Conclusion

As we saw in this tutorial, even a simple vulnerability can be very damaging. In the case of path transversal, letting user-supplied filenames without proper validation is enough to create a lot of issues. So, remember that we can never be careful enough when it comes to validating user input. By proper validation, we can avoid many common flaws that plague web applications worldwide.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.