Photo by Gabriel Heinzer on Unsplash
Also called directory climbing, dot-dot-slash, and backtracking attack, the directory traversal method leverages the way in which an application gets data from the webserver. Generally, Access Control Lists (ACLs) limit user access to specific files within a root directory.
Consider a set of nested folders that follow this order:
- Root directory: My Very Sensitive Data (MVSD)
- Inside MVSD folder: Protecting from H@x0rs (PfH) folder
- Inside PfH folder: My Password is Bad (MPiB) folder
- Inside MPiB folder: H@x0rs Stole My Info file
Now, you might have an additional set of folders outside that root folder including Pictures, Videos, and Downloads. Unless you have access to each of these other root folders, you can’t access the information they contain.
Web applications organize information the same way, even if you don’t see it. In a directory traversal attack, malicious actors figure out the URL structure that the application uses to request files. Using the hypothetical above, that URL might be:
www.myinsecurewebapp.com/MyPas… “.asp?item=” indicates that this URL pulled the file “H@x0rsStoleMyInfo” from the “My Password is Bad” folder. Now, they know the structure of folders and how to start getting different files.
Using this structure, they add “../” at the end. The “../” indicates moving from one folder to one just above it in the hierarchy. The new request might look like this:
www.myinsecurewebapp.com/MyH@cking.asp?item=../
They keep adding the ../ until they gain access to another file. If they know the name of the file, such as an operating system file name, they might do this:
www.mywebsiteinfo.com/MyPasswordisBad.asp?item=../genericoperatingsystemfile
At this point, they just keep adding more “../” after the equal sign until they get to the folder level and file they want.
