An attacker exploits a weakness in input validation on the target by
supplying a specially constructed path utilizing dot and slash characters
for the purpose of obtaining access to arbitrary files or resources. An
attacker modifies a known path on the target in order to reach material that
is not available through intended channels. These attacks normally involve
adding additional path separators (/ or \) and/or dots (.), or encodings
thereof, in various combinations in order to reach parent directories or
entirely separate trees of the target's directory structure.
Attack Execution Flow
Explore
Survey application:
Using a browser or an automated tool, an attacker
follows all public links on a web site. He records
all the links he finds. He picks out the URL
parameters that may related to access to files.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a spidering tool to follow and record
all links. Make special note of any links that
include parameters in the URL.
env-Web
2
Use a proxy tool to record all links visited
during a manual traversal of the web application.
Make special note of any links that include
parameters in the URL. Manual traversal of this
type is frequently necessary to identify forms
that are GET method forms rather than POST
forms.
env-Web
3
Use a browser to manually explore the
website and analyze how it is constructed. Many
browser's plug-in are available to facilitate the
analysis or automate the URL discovery.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
There are links that include parameters in
URL.
env-Web
2
Inconclusive
Using URL rewriting, parameters may be part
of the URL path.
env-Web env-CommProtocol
env-ClientServer
3
Inconclusive
No parameters appear on the URL. Even though
none appear, the web application may still use
them if they are provided.
env-Web
4
Negative
Applications that have only static pages or
that simply present information without accepting
input are unlikely to be susceptible.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
A list of URLs, with their
corresponding parameters is created by the
attacker.
2
Success
A list of application user
interface entry fields is created by the
attacker.
3
Success
A list of resources accessed by
the application is created by the
attacker.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Preventative
Use CAPTCHA to prevent
the use of the application by an automated
tool.
3
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
Experiment
Attempt variations on input
parameters::
Possibly using an automated tool, an attacker
requests variations on the identified inputs. He
sends parameters that include variations of
payloads.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a list of probe strings as path
traversal payload. Different strings may be used
for different platforms. Strings contain relative
path sequences such as “../”.
env-Web
2
Use a proxy tool to record results of manual
input of relative path traversal probes in known
URLs.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Attackers can access arbitrary files.
env-Web
2
Inconclusive
The output of pages includes some error
messages if file does not exist.
env-Web env-CommProtocol
env-ClientServer
3
Negative
All context-sensitive characters are
consistently re-encoded before being sent to the
web browser.
env-Web env-CommProtocol
env-ClientServer
Outcomes
ID
Type
Outcome Description
1
Success
The attacker's file path probe
string is being reflected verbatim at some point
in the web site (if not on the same page).
2
Success
An error message or exception.
Note that the system may leak information to the
attackers in the error messages, e.g. “File Not
Found”, “File Access Restricted”.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor input to web
servers, application servers, and other HTTP
infrastructure (e.g., load balancers). Alert on
standard relative path traversal probes. Use the
same vulnerability catalogs that hackers
use.
2
Preventative
Apply appropriate
input validation to filter all user-controllable
input.
2
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating path
traversal probes.
Exploit
Access, modify, or execute arbitrary
files.:
An attacker injects path traversal syntax into
identified vulnerable inputs to cause inappropriate
reading, writing or execution of files. An attacker
could be able to read directories or files which
they are normally not allowed to read. The attacker
could also access data outside the web document
root, or include scripts, source code and other
kinds of files from external websites. Once the
attacker accesses arbitrary files, he/she could also
modify files. In particular situations, the attacker
could also execute arbitrary code or system
commands.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manipulate file and its path by injecting
relative path sequences (e.g. “../”).
env-Web
2
Download files, modify files, or try to
execute shell commands (with binary files).
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker accesses the
content of restricted files.
2
Success
Apply appropriate input
validation to filter all user-controllable input
of path syntax.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor server logs
for unintended file access, modification and
execution.
2
Preventative
Apply appropriate
input validation to filter all user-controllable
input of path
syntax
Attack Prerequisites
The target application must accept a string as user input, fail to
sanitize combinations of characters in the input that have a special meaning
in the context of path navigation, and insert the user-supplied string into
path navigation commands.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
The attacker uses relative path traversal to access files in the
application. This is an example of accessing user’s password
file.
However, the target application employs regular expressions to make
sure no relative path sequences are being passed through the application
to the web page. The application would replace all matches from this
regexp with the empty string.
Then an attacker creates special payloads to by pass this filter:
http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e
/etc/passwd When the application gets this input string, it will be the
desired vector by the attacker.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To inject the malicious payload in a web page
Skill or Knowledge Level: High
To bypass non trivial filters in the application
Solutions and Mitigations
Design: Input validation. Assume that user inputs are malicious. Utilize
strict type, character, and encoding enforcement
Implementation: Perform input validation for all remote content, including
remote and user-generated content.
Implementation: Validate user input by only accepting known good. Ensure
all content that is delivered to client is sanitized against an acceptable
content specification -- whitelisting approach.
Implementation: Prefer working without user input when using file system
calls
Implementation: Use indirect references rather than actual file
names.
Implementation: Use possible permissions on file access when developing
and deploying web applications.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Integrity
Modify files or
directories
Confidentiality
Read files or
directories
Execute unauthorized code or
commands
Bypass protection
mechanism
Availability
DoS: crash / exit /
restart
Availability
DoS: instability
Injection Vector
User-controllable input into web parameters or post variables.
Payload
variations on "../../" characters and encoded varieties.
Activation Zone
Web server processing of GET or POST content.
Payload Activation Impact
Description
• Attackers may create or overwrite critical files.
• Execute unauthorized code or commands.
• Information Leakage of applications that attackers may read
confidential files.
• Attackers may delete or corrupt some critical files or data that cause
denial of service to legal users.
Newsletter module allows reading arbitrary files using "../"
sequences.
CVE-2009-4581
PHP program allows arbitrary code execution using ".." in filenames
that are fed to the include() function.
Related Attack Patterns
Nature
Type
ID
Name
Description
View(s) this relationship pertains to
ChildOf
126
Mechanism of Attack (primary)1000
ChildOf
154
Mechanism of Attack (primary)1000
Relevant Security Requirements
Special characters in user-controllable input must be escaped before use
by the application. Custom error pages must be used to handle exceptions
such that they do not reveal any information about the architecture of the
application.
Description
