CAPEC-139 - Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation
  • Scopes 6
  • Modify files or directories
  • Integrity
  • Read files or directories
  • Confidentiality
  • Execute unauthorized code or commands
  • Bypass protection mechanism
  • DoS: crash / exit / restart
  • Availability
  • DoS: instability
  • Availability

Low level: To inject the malicious payload in a web page

High level: To bypass non trivial filters in the application

The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands.

Step 1 - Survey application

Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds. He picks out the URL parameters that may related to access to files..

Tecnique ID: 1 - Environment(s) env-Web

Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.

Tecnique ID: 2 - Environment(s) env-Web

Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

Tecnique ID: 3 - Environment(s) env-Web

Use a browser to manually explore the website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

There are links that include parameters in URL.

Indicator ID: 2 - Environment(s) env-Web env-CommProtocol env-ClientServer

Type: Inconclusive

Using URL rewriting, parameters may be part of the URL path.

Indicator ID: 3 - Environment(s) env-Web

Type: Inconclusive

No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.

Indicator ID: 4 - Environment(s) env-Web

Type: Negative

Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.


Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).

Security Control ID: 2

Type: Preventative

Use CAPTCHA to prevent the use of the application by an automated tool.

Security Control ID: 3

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be automated.


Outcome ID: 1

Type: Success

A list of URLs, with their corresponding parameters is created by the attacker.

Outcome ID: 2

Type: Success

A list of application user interface entry fields is created by the attacker.

Outcome ID: 3

Type: Success

A list of resources accessed by the application is created by the attacker.



Step 1 - Attempt variations on input parameters

Possibly using an automated tool, an attacker requests variations on the identified inputs. He sends parameters that include variations of payloads..

Tecnique ID: 1 - Environment(s) env-Web

Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as "../".

Tecnique ID: 2 - Environment(s) env-Web

Use a proxy tool to record results of manual input of relative path traversal probes in known URLs.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

Attackers can access arbitrary files.

Indicator ID: 2 - Environment(s) env-Web env-CommProtocol env-ClientServer

Type: Inconclusive

The output of pages includes some error messages if file does not exist.

Indicator ID: 3 - Environment(s) env-Web env-CommProtocol env-ClientServer

Type: Negative

All context-sensitive characters are consistently re-encoded before being sent to the web browser.


Security Control ID: 1

Type: Detective

Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard relative path traversal probes. Use the same vulnerability catalogs that adversaries use.

Security Control ID: 2

Type: Preventative

Apply appropriate input validation to filter all user-controllable input.

Security Control ID: 2

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be generating path traversal probes.


Outcome ID: 1

Type: Success

The attacker's file path probe string is being reflected verbatim at some point in the web site (if not on the same page).

Outcome ID: 2

Type: Success

An error message or exception. Note that the system may leak information to the attackers in the error messages, e.g. "File Not Found", "File Access Restricted".



Step 1 - Access, modify, or execute arbitrary files.

An attacker injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An attacker could be able to read directories or files which they are normally not allowed to read. The attacker could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the attacker accesses arbitrary files, he/she could also modify files. In particular situations, the attacker could also execute arbitrary code or system commands..

Tecnique ID: 1 - Environment(s) env-Web

Manipulate file and its path by injecting relative path sequences (e.g. "../").

Tecnique ID: 2 - Environment(s) env-Web

Download files, modify files, or try to execute shell commands (with binary files).

Security Control ID: 1

Type: Detective

Monitor server logs for unintended file access, modification and execution.

Security Control ID: 2

Type: Preventative

Apply appropriate input validation to filter all user-controllable input of path syntax


Outcome ID: 1

Type: Success

The attacker accesses the content of restricted files.

Outcome ID: 2

Type: Success

Apply appropriate input validation to filter all user-controllable input of path syntax.



Special characters in user-controllable input must be escaped before use by the application. Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application.

Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement

Implementation: Perform input validation for all remote content, including remote and user-generated content.

Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- whitelisting approach.

Implementation: Prefer working without user input when using file system calls

Implementation: Use indirect references rather than actual file names.

Implementation: Use possible permissions on file access when developing and deploying web applications.