Home > CAPEC List > CAPEC-139: Relative Path Traversal (Version 2.4)  

CAPEC-139: Relative Path Traversal

 
Relative Path Traversal
Definition in a New Window Definition in a New Window
Attack Pattern ID: 139
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

Attack Execution Flow

Explore
  1. Survey application:

    Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds. He picks out the URL parameters that may related to access to files.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.

    env-Web
    2

    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

    env-Web
    3

    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    There are links that include parameters in URL.

    env-Web
    2Inconclusive

    Using URL rewriting, parameters may be part of the URL path.

    env-Web env-CommProtocol env-ClientServer
    3Inconclusive

    No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.

    env-Web
    4Negative

    Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of URLs, with their corresponding parameters is created by the attacker.
    2Success
    A list of application user interface entry fields is created by the attacker.
    3Success
    A list of resources accessed by the application is created by the attacker.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
    2Preventative
    Use CAPTCHA to prevent the use of the application by an automated tool.
    3Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Experiment
  1. Attempt variations on input parameters:

    Possibly using an automated tool, an attacker requests variations on the identified inputs. He sends parameters that include variations of payloads.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as "../".

    env-Web
    2

    Use a proxy tool to record results of manual input of relative path traversal probes in known URLs.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Attackers can access arbitrary files.

    env-Web
    2Inconclusive

    The output of pages includes some error messages if file does not exist.

    env-Web env-CommProtocol env-ClientServer
    3Negative

    All context-sensitive characters are consistently re-encoded before being sent to the web browser.

    env-Web env-CommProtocol env-ClientServer

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker's file path probe string is being reflected verbatim at some point in the web site (if not on the same page).
    2Success
    An error message or exception. Note that the system may leak information to the attackers in the error messages, e.g. "File Not Found", "File Access Restricted".

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard relative path traversal probes. Use the same vulnerability catalogs that hackers use.
    2Preventative
    Apply appropriate input validation to filter all user-controllable input.
    2Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be generating path traversal probes.
Exploit
  1. Access, modify, or execute arbitrary files.:

    An attacker injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An attacker could be able to read directories or files which they are normally not allowed to read. The attacker could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the attacker accesses arbitrary files, he/she could also modify files. In particular situations, the attacker could also execute arbitrary code or system commands.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Manipulate file and its path by injecting relative path sequences (e.g. "../").

    env-Web
    2

    Download files, modify files, or try to execute shell commands (with binary files).

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker accesses the content of restricted files.
    2Success
    Apply appropriate input validation to filter all user-controllable input of path syntax.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor server logs for unintended file access, modification and execution.
    2Preventative
    Apply appropriate input validation to filter all user-controllable input of path syntax
+ Attack Prerequisites
  • The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.

(Attack)
 
http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd

However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.

Then an attacker creates special payloads to bypass this filter:

(Attack)
 
http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd

When the application gets this input string, it will be the desired vector by the attacker.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To inject the malicious payload in a web page

Skill or Knowledge Level: High

To bypass non trivial filters in the application

+ Solutions and Mitigations

Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement

Implementation: Perform input validation for all remote content, including remote and user-generated content.

Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- whitelisting approach.

Implementation: Prefer working without user input when using file system calls

Implementation: Use indirect references rather than actual file names.

Implementation: Use possible permissions on file access when developing and deploying web applications.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Integrity
Modify files or directories
Confidentiality
Read files or directories
Execute unauthorized code or commands
Run Arbitrary Code
Bypass protection mechanism
Availability
DoS: crash / exit / restart
Availability
DoS: instability
+ Injection Vector

User-controllable input into web parameters or post variables.

+ Payload

variations on "../../" characters and encoded varieties.

+ Activation Zone

Web server processing of GET or POST content.

+ Payload Activation Impact

Description

• Attackers may create or overwrite critical files.

• Execute unauthorized code or commands.

• Information Leakage of applications that attackers may read confidential files.

• Attackers may delete or corrupt some critical files or data that cause denial of service to legal users.

+ Relevant Security Requirements

Special characters in user-controllable input must be escaped before use by the application. Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ References
[R.139.1] [REF-5] "The OWASP Application Security Desk Reference". Path Traversal. The Open Web Application Security Project (OWASP). 2009. <https://www.owasp.org/index.php/Path_Traversal>.
[R.139.2] [REF-4] "OWASP Testing Guide". Testing for Path Traversal (OWASP-AZ-001). v3. The Open Web Application Security Project (OWASP). 2010. <https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)>.
[R.139.3] [REF-1] "WASC Threat Classification 2.0". WASC-33 - Path Traversal. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/w/page/13246952/Path-Traversal>.
+ Content History
Submissions
SubmitterOrganizationDateComments
Sean BarnumCigital2007-02-10Initial core pattern content
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation20011-07-19Review and Revision of Content
Romain GaucherCigital, Inc.2011-07-12Performed a review of content and added additional content
CAPEC Content TeamThe MITRE Corporation2013-06-21Updated Example-Instance_DescriptionInternal
CAPEC Content TeamThe MITRE Corporation2013-12-18Updated Attack_Phases, Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2014-02-06Updated Attack_Phases, Examples-InstancesInternal
CAPEC Content TeamThe MITRE Corporation2014-04-10Updated Attack_PhasesInternal

Page Last Updated: April 10, 2014