White Hat Institute

“Defend the Web” write-up (Intro 4)

“Defend the Web” write-up (Intro 4— path traversal vulnerability)

The goal of a path traversal attack (commonly referred to as directory traversal) is to get access to files and directories stored outside of the web root folder. It may be possible to access arbitrary files and directories contained on the file system, including application source code or configuration, by manipulating variables that reference files with “dot-dot-slash (../)” sequences and variations, or by employing absolute file paths. It should be remembered that system operational access control restricts file access (such as in the case of locked or in-use files on the Microsoft Windows operating system).

Let’s analyze the source code of the page and see what we can find.

Defend the Web Intro 4-1

Press on “CTRL + F” and search for the word “password”.

Defend the Web Intro 4-2

Looks like there is a “passwordfile” id with the “value” of the path that leads to the “.json” file. Copy the hidden path and paste it at the end of the URL, and hit “Enter”.

Defend the Web Intro 4-3

By performing a path traversal, you might obtain some sensitive information.

Defend the Web Intro 4-4

Local resources, such as graphics, themes, and other scripts, must be included in all but the simplest online applications. Every time the application includes a resource or file, there’s a chance an attacker will be able to include a file or remote resource you didn’t authorize.

Make sure you know how the underlying operating system will handle filenames that are passed to it. Don’t store sensitive configuration files inside the webroot. To prevent recursive traversal back to system directories on Windows IIS servers, the webroot should not be on the system drive. When using file system calls, prefer to work without human input. When templating or accessing language files, use indexes rather than real file names. 

Make sure the user can’t supply all of the path’s components by enclosing them in your path code. Validate the user’s input by allowing only known good data and not sanitizing it. To limit where the files can be obtained or saved, use chrooted jails and code access policies. If you have to use user input for file operations, normalize it beforehand before utilizing it in file io APIs.