A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Directory Traversal Attack

Attacks that access restricted files by combing through a computer's directories

Directory traversal attacks are used to attempt to access files not intended to be accessed, i.e., files that are not under the root directory, explained below, on a server. Directory traversal attacks are also known as ../ (dot dot slash) attacks, directory climbing, and backtracking.

A Web site uses a server to store and give access to the files that contain web content. These publicly accessible files are stored in what is typically called the "web document root" or simply "root" directory. A directory is another word for what shows up as a folder in the Microsoft Windows operating system. Directories allow hierarchical organization of files and other directories.

By exploiting a directory traversal vulnerability, an attacker can access files in directories other than the root directory. This can be harmful, since access to restricted files containing passwords or other private information may compromise the web server.

For example, by typing the following URL:

http://www.myhackersite.com/online/file.asp?item=../../../../WINNT/win.ini

the attacker causes file.asp to retrieve the file ../../../../WINNT/win.ini and display it in the attacker's browser. The character sequence "../" stands for "one directory up", and is a common operating system directive. The string “../../../../WINNT/win.ini” therefore means "go four directories up, then down into directory WINNT and retrieve the file win.ini from there".

The attacker needs to guess how many directories to climb in order to get to the desired directory, but this can be easily done by trial and error.

The infamous Nimbda virus that infected more than 300,000 computers in 2001 was enabled by a directory traversal attack.

Protective Measures

Practices

  • Keep security patches updated. Apply the most up-to-date security patches. Monitor security announcements and patch releases for any applications that run on your web server.
  • Put the web root directory on a non-system partition. For example, if your system files (in Microsoft Windows, the WINDOWS directory and all its subdirectories) are on the C: drive, put your web root directory on a different drive. A directory traversal attack can’t traverse across drives.

Tools

  • Web application vulnerability checkers. Commonly used tools to check web applications for vulnerabilities include Cenzic's Hailstorm  and the Acunetix Web Vulnerability Scanner .
  • Use firewalls that protect internal files from being accessed illegally. Firewalls that support HTTP URL patterning protect files by using embedded encoding characters in URL strings. The httpurlpattern.cf file contains a sample list of potentially harmful expressions. When incoming URLs are checked against this file, if the URL matches an expression in the list, access is denied. Such a firewall is Symantec Enterprise Firewall.
  • Block any URL with embedded encoding characters. You can configure the URL pattern policy to do this by using a regular expression such as ".*%[0-9a-fA-F]+". For additional flexibility, you can apply the URL pattern restrictions at the rule level. This provides the necessary granularity for each site to customize the rules and patterns to fit its unique needs.

References

Links

My home page