Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.
However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.
Then an attacker creates special payloads to bypass this filter:
When the application gets this input string, it will be the desired vector by the attacker.
Skill or Knowledge Level: Low
To inject the malicious payload in a web page
Skill or Knowledge Level: High
To bypass non trivial filters in the application
Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement
Implementation: Perform input validation for all remote content, including remote and user-generated content.
Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- whitelisting approach.
Implementation: Prefer working without user input when using file system calls
Implementation: Use indirect references rather than actual file names.
Implementation: Use possible permissions on file access when developing and deploying web applications.
• Attackers may create or overwrite critical files.
• Execute unauthorized code or commands.
• Information Leakage of applications that attackers may read confidential files.
• Attackers may delete or corrupt some critical files or data that cause denial of service to legal users.
Special characters in user-controllable input must be escaped before use by the application. Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application.
[R.139.1] [REF-5] "The OWASP Application Security Desk Reference". Path Traversal. The Open Web Application Security Project (OWASP). 2009. <https://www.owasp.org/index.php/Path_Traversal>.
[R.139.2] [REF-4] "OWASP Testing Guide". Testing for Path Traversal (OWASP-AZ-001). v3. The Open Web Application Security Project (OWASP). 2010. <https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)>.
More information is available — Please select a different filter.