Preventing Directory Traversal

Directory traversal vulnerabilities allow attackers to access arbitrary files on your system. They tend to occur in older technology stacks, which map URLs too literally to directories on disk.

Risks

Prevalence Common
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability Moderate
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact Devastating
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

If an attacker discovers a directory traversal vulnerability, it is only a matter of time before they compromise your system. An experienced attacker will have seen a similar technology stack, and will have a playbook of things to try next.

If your site is indexed on Google, and you have URLs that pass file names in the query string, you are likely advertising a potential vulnerability to attackers. Hackers often use search engines to locate likely targets, and will search for tell-tale URLs. Try searching Google for site:<yourdomain.com> inurl:file= to see if any results get returned!

Protection

Use a Content Management System

If your site handles a lot of documents, chances are the workflows around uploading, indexing, publishing, and replacing documents will be quite involved. You may have non-technical users acting as administrators. If this is the case, look into using a third-party content management system, which are designed for exactly these cases.

A modern CMS will protect against directory traversal.

Use Indirection

If a content-management system proves too heavyweight as a solution, consider using indirection to label your files. Each time a file is uploaded, construct a “friendly” name for this on your site, and when the file is accessed, perform a lookup in your data-store to discover the actual file path.

This approach effectively white-lists valid names, and avoids the fragility of passing around raw file paths.

Segregate Your Documents

Hosting documents on a separate file-server or file partition, or in cloud storage, is a good idea too. This will allow you to prevent mixing public documents and more sensitive material.

Sanitize Filename Parameters

If you insist on using raw file names, you need to sanitize the file names coming in from HTTP requests. Initially, this would seem to be simply a matter of checking for “back-tracking” paths starting with ../.

In actual fact, it is a lot more complex than that. For example, Unix file systems interpret paths starting ~/ as relative to the home directory. It is even easier to construct a lot of ambiguous paths in Windows. Moreover, depending on how URLs are encoded, it is possible to obscure malicious paths. See here for a list of exploits people have found.

The safest approach is to restrict filenames to a list of known good characters, and ensure that any references to files use only those characters.

Run with Restricted Permissions

It is a good practice to run your server processes with only the permissions that they require to function – the principle of least privilege. This can help limit the impact of vulnerabilities as a second line of defense.

Make sure the server process can only access the directories it needs. Consider running the process in a chroot jail if you are running on Unix. This will mitigate the risks if a directory traversal vulnerability is discovered.

Further Reading

Is your website vulnerable to directory traversal attacks?

Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43 Check today. Scan your website for Directory Traversal and other vulnerabilities with the