4.6. Directory Traversal

4.6.1. Introduction

Directory traversal (also known as directory traversal/directory traversal/path traversal) is use ../ of directory control sequences or absolute paths to files to access arbitrary files and directories stored on the file system, especially application source code, configuration files , important system files, etc.

4.6.2. Attack payload

4.6.2.1. URL Parameters

• ../

• ..\

• ..;/

4.6.2.2. Nginx Off by Slash

• https://vuln.site.com/files../

4.6.2.3. UNC Bypass

• \\localhost\c$\windows\win.ini

4.6.3. Filter Bypass

• single replacement

  • ...//

• URL encoding

• 16-bit Unicode encoding

  • \u002e

• Super long UTF-8 encoding

  • \%e0%40%ae

4.6.4. Defense

User input should be filtered before performing file operations related APIs. A whitelist can be used under stronger rules, allowing only pure alphanumeric characters, etc.

If the rule allows more characters, it is best to use the current operating system path normalization function to normalize the path, then filter, and finally make the relevant call.

4.6.5. Reference Links

• Directory traversal by portswigger

• Path Traversal by OWASP

• path normalization

• Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out defcon