Path Traversal is using knowledge of file paths and directories to gain access to information a user should not have access to. In both Windows and Linux file systems '..' represents the parent directory. Using ../../secretFile.txt, a user can access secretFile.txt without the knowledge of specific directory information.
Exploit:
An attacker simply needs to know the name of the file stored on the server to gain access to it. According to Gruyere, most developers don't even change the default file structure for their web application.
If an attacker knows the structure of your file system, then they can craft a URL that will traverse out of the installation directory to
/etc. For example, if Picasa was vulnerable to path traversal and the Picasa servers use a Unix-like system, then the following would retrieve the password file:http://www.picasa.com/../../../../../../../etc/passwd
Fix:
Most web browsers, like Chrome and Firefox, optimize out '..' in urls, but this can be circumvented by using a different browser or a web proxy.
Gruyere suggests to serve only specific resource files. This can be accomplished by hardcoding a list of accessible files when the application starts. Only requests for those files will be accepted.
For more information on Path Traversal: https://www.owasp.org/index.php/Path_Traversal
http://google-gruyere.appspot.com/part4#4__path_traversal
http://google-gruyere.appspot.com/part4#4__path_traversal
No comments:
Post a Comment