Path/Directory Traversal Vulnerability

Bhupendra budha
Jan 13
4 min read

Updated: Jan 26

Path/Directory Traversal Vulnerability is a type of security issue in software applications where an attacker can access files or directory information by exploiting the directory path input fields. For example, using ../ (parent directory) allows the attacker to traverse outside the intended directory. Moreover, attackers can manipulate input fields to access sensitive information within the directory, such as configuration files (e.g., /etc/passwd on Linux), source code, database files, logs, and more.

The tree structure above might contain sensitive information such as database credentials, API keys, log files, and secret text files. Given this directory, an attacker can craft simple payloads to exploit path traversal vulnerabilities:

../../config/database.php
../../logs/access.log
../../admin/secret.txt

To simulate this vulnerability, we will use Burp Suite and some labs from the Web Security Academy.

Let's Warm Up with a Simple Attack

By manipulating web requests, attackers can overwrite the filename input value with other values to test input field sanitization.

Such exploitation demonstrates a broken access control vulnerability, where attackers gain unauthorized access to data, resources, or functionalities due to improper authorization and authentication enforcement.

Next, we attempt to load files beyond the web root directory.

Sometimes, attackers cannot directly obtain information using /etc/passwd. In such cases, they can use trial-and-error methods with payloads, such as ../../etc/passwd. The ../../ sequence is a relative path traversal mechanism that allows the attacker to move up two directories in the file system hierarchy.

Introducing the "Null Byte"

The null byte (\0) is used in C programming as a string terminator, influenced by hardware and memory constraints. It plays a crucial role in string management. For example:

In memory, the above string occupies six bytes, with the last byte reserved for the null terminator. Functions like strcpy(), strcat(), and strlen() from standard libraries rely on the null byte, potentially opening the door to attacks like buffer overflows.

When data is transmitted via URLs, certain characters are encoded. For instance, %00 represents a null byte in URL encoding.

Exploitation of Null Byte %00 in Path Traversal

Consider the following pseudo-PHP code:

The user input $_GET['filename'] is appended to the base path /var/www/html/images/. A conditional check ensures the last four characters of $path are .jpg, enforcing the input field to accept only .jpg files.

Extension Check Bypass Using Null Byte %00

An attacker can bypass this extension check by providing the following input in the URL:

The filename from the attacker will have the specified value.
The path variable will process the input like this:
During the extension check, the path variable satisfies the condition enforced by the developer (substr($path, -4) == '.jpg').
The actual path becomes:
Thus, null-byte vulnerabilities are exploited.

Bypassing Filtering

Now, in some cases, the above methods won't work; developers may come up with strategies to strip off “../” from the payload enforced by the attacker. This can somehow stop the attacker from executing path traversal vulnerabilities.

On the other hand, the hacker can design a new payload considering the above scenario. The following input payload can easily bypass the filtering technique implemented by the developer in their application.

This simple payload can bypass the filtering and provide access to the “/etc/passwd” file by blocking exact matches of “../” but not considering variations like “..//,” “....//,” or “%2e%2e%2f” (URL-encoded ../).

Bypassing Hard-Coded Paths

Naive developers sometimes hard-code file paths into the application. Attackers can exploit such paths by manipulating the input and executing path traversal attacks.

Bypassing Advanced Filtering

Also, let’s consider another situation where the developer sets up an advanced filtering technique. During the transmission of a newly designed payload from the attacker, the forward slash (/) can be blocked due to the implementation of advanced filtering or a firewall. In such a situation, the attacker can rewrite the payload in URL-encoded form instead of directly using the character. This technique can help avoid the detection of characters if there are any advanced filtering techniques in the system.

Thus, the use of URL-encoded equivalents can assist in avoiding such detection.

Character	URL-encoded Form
/	%2F
.	%2E

Original Payload	URL-encoded Payload
../../etc/passwd	%2E%2E%2F%2E%2E%2Fetc%2Fpasswd

Bypassing Extreme Filtering

Manually brute-forcing path traversal vulnerabilities can be exhausting, as attackers need to test numerous payloads (e.g., basic, URL/Hex/Unicode/Mixed-Encoded Payloads, Double URL-Encoding, etc.).

To automate this process, we use Burp Suite's Intruder feature:

Send the request to Intruder and select the section where payloads should be inserted.
Under the payloads section, copy and paste all possible payloads.
Start the attack. Burp Suite will iterate through all payloads and brute-force the filename input section.

The results will show three positive outcomes (status code: 200), indicating successful payload injections for a path traversal attack.

Conclusion

Thus, path/directory traversal vulnerabilities are critical security threats that allow attackers to exploit improper input validation and filtering mechanisms to access sensitive files and data. Techniques such as relative path traversal, null byte injection, URL encoding, and bypassing advanced filtering or hard-coded paths highlight the need for robust defenses. Developers must implement proper input validation, secure coding practices, and thorough vulnerability testing using tools like Burp Suite to identify and address potential weaknesses. By understanding these exploitation methods and applying proactive security measures, developers can better protect their applications and safeguard sensitive information against malicious actors.

Reference

OWASP (n.d.). Path Traversal. Open Web Application Security Project. Available at: https://owasp.org/www-community/attacks/Path_Traversal (Accessed: 12 January 2025).
PortSwigger (n.d.). Directory Traversal. Web Security Academy. Available at: https://portswigger.net/web-security/file-path-traversal (Accessed: 12 January 2025).
MITRE (n.d.). CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). Common Weakness Enumeration. Available at: https://cwe.mitre.org/data/definitions/22.html (Accessed: 12 January 2025).
NIST (n.d.). National Vulnerability Database - Path Traversal Vulnerabilities. National Institute of Standards and Technology. Available at: https://nvd.nist.gov/vuln/search/results?query=path+traversal (Accessed: 12 January 2025).
PortSwigger (n.d.). Burp Suite - Web Application Security Testing. Available at: https://portswigger.net/burp (Accessed: 12 January 2025).
Berners-Lee, T., Fielding, R. & Masinter, L. (2005). Uniform Resource Identifier (URI): Generic Syntax. RFC 3986. Internet Engineering Task Force (IETF). Available at: https://datatracker.ietf.org/doc/html/rfc3986 (Accessed: 12 January 2025).