Quartz 4

path traversal

2 min read

Path Traversal (also known as Directory Traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.

This usually involves tricking the web server into “jumping out” of the intended web root directory (like /var/www/html) and accessing sensitive parts of the file system (like /etc/passwd or configuration files).

How It Works: The ../ Trick

The attack relies on the dot-dot-slash (../) sequence, which is the operating system directive to move up one level in the directory hierarchy.

If an application takes a filename as input and doesn’t sanitize it, an attacker can modify the request:

  • Normal Request: https://example.com/view?file=report.pdf

  • Attack Request: https://example.com/view?file=../../../../etc/passwd

In this case, the server might resolve the path as:

/var/www/html/view/../../../../etc/passwd /etc/passwd

Why It Happens

Path Traversal occurs when an application uses user-controllable input in a filesystem operation (like opening or reading a file) without properly validating that the input doesn’t contain path-navigation characters.

Impact

  • Data Leakage: Access to application source code, database credentials, and system configuration files.

  • System Compromise: In some cases, if the attacker can write to files (e.g., via a “File Upload” combined with path traversal), they can achieve Remote Code Execution (RCE) by overwriting a script or log file.

Prevention Strategies

To defend against this in your own projects or when hardening your lab:

  1. Avoid User Input in Paths: The best defense is to never pass user-supplied input directly to filesystem APIs.

  2. Use an Allowlist: Use a predefined list of “safe” files. If the user input isn’t in that list, reject it.

  3. Validate & Sanitize: If you must use input, strip out ../ and ./ sequences and ensure the final path starts with the expected base directory.

  4. Filesystem Permissions: Run the web server with the “Principle of Least Privilege.” The user running the service should only have access to the directories it absolutely needs. #attacks attack LateralMovement techniques

Graph View

Backlinks