Introduction
A Directory traversal (or path traversal) is a vulnerability in an application where an attacker or an user can grab an access to un-authorized sensitive or insensitive file(s) and directories, inside or outside the context of the application runtime environment.
This attack is also known as dot-dot-slash, directory traversal, directory climbing and backtracking.
Directory Traversal attacks are platform dependent due to inherent nature of directory path specifications laid by the Operating System on which the application is running on. Some of the popular server OS are Linux, Windows or sometimes macOS.
In order to understand the path traversal attack we must first understand how to move between directories back and forth in Linux terminal or windows command prompt.
Linux/macOS
In Linux system, file paths are structured using the forward slashes (/), dot (. ) signifies the current working directory and dot dot (..) signifies the parent directory. Similarly, ../.. specifies the parent’s parent directory.
┌──(kali㉿kali)-[/var/www/html]
└─$ ls -la
total 362672
drwxr-xr-x 7 kali kali 4096 Jul 12 01:26 .
drwx------ 54 kali kali 4096 Jul 14 13:18 ..
-rw-rw-r-- 7 kali kali 4096 Jul 12 03:85 test.txtTo know the current working directory in the bash shell, we can use pwd command.
┌──(kali㉿kali)-[/var/www/html]
└─$ pwd
/var/www/htmlAs, you can see the output of the above command is /var/www/html which signifies that we are inside the /var directory and inside that directory resides another directory named www and www contains a html named directory.
Now, let’s try to move to parent directory of html. The cd .. command (Change Directory) changes the directory to it’s parent i.e. /var/www.
┌──(kali㉿kali)-[/var/www/html]
└─$ cd ..
┌──(kali㉿kali)-[/var/www]
└─$ pwd
/var/wwwNow, let’s try to move back to our html directory using cd html, and again we are in our /var/www/html directory and let’s try to move to our parent’s parent directory i.e. /var using cd ../...
┌──(kali㉿kali)-[/var/www]
└─$ cd html
┌──(kali㉿kali)-[/var/www/html]
└─$ cd ../..
┌──(kali㉿kali)-[/]
└─$ pwd
/varSimilarly, we can move to n-number of parent’s using cd command using the chain of ../’s.
Windows
Windows OS also works similar to Linux, just that instead of forward slash / it uses backslash \. Also, dot (. ) signifies the current working directory and dot dot (..) signifies the parent directory.
C:\inetpub\wwwroot>dir
Directory of C:\inetpub\wwwroot
<DIR> .
<DIR> ..Same pwd command can also be used in Windows OS for checking the present/current working directory.
C:\inetpub\wwwroot>pwd
C:\inetpub\wwwrootNow to move two directory backward from C:\inetpub\wwwroot to C:\ we can use cd ..\.. command in the command prompt. Kindly note the use of backslash \ instead of forward slash / here.
C:\inetpub\wwwroot>cd ..\..
C:\>pwd
C:\In general, Windows OS also supports the use of forward slash /, so the same can be used. But while working in the command prompt or file explorer, Windows uses backslash \ only.
Explanation
Let’s say we want to visit the ubuntu’s help page hosted at https://help.ubuntu.com/ endpoint. The community page of the website is hosted under community/ endpoint. The following is a screenshot of community/ page.
We can go to the root website by moving towards https://help.ubuntu.com/ or the trick which we have discussed by using https://help.ubuntu.com/community/../ (which will move the endpoint to parent). If you will use any of the URL endpoint mentioned above, it will be redirected to https://help.ubuntu.com/ only.
Similarly, we can use backslash instead of forward slash to get the same result https://help.ubuntu.com/community\..\.
So, the Directory or Path traversal works not just for File Explorer but also for normal URL traversing.
In the next part of this series, we will look at a demonstration of path traversal attack on a sample docker application.