4.6. Directory Traversal

4.6.1. Introduction

Directory traversal (also known as directory traversal/directory traversal/path traversal) is use ../ of directory control sequences or absolute paths to files to access arbitrary files and directories stored on the file system, especially application source code, configuration files , important system files, etc.

4.6.2. Attack payload

4.6.2.1. URL Parameters

  • ../

  • ..\

  • ..;/

4.6.2.2. Nginx Off by Slash

  • https://vuln.site.com/files../

4.6.2.3. UNC Bypass

  • \\localhost\c$\windows\win.ini

4.6.3. Filter Bypass

  • single replacement
    • ...//

  • URL encoding

  • 16-bit Unicode encoding
    • \u002e

  • Super long UTF-8 encoding
    • \%e0%40%ae

4.6.4. Defense

User input should be filtered before performing file operations related APIs. A whitelist can be used under stronger rules, allowing only pure alphanumeric characters, etc.

If the rule allows more characters, it is best to use the current operating system path normalization function to normalize the path, then filter, and finally make the relevant call.