A path traversal, also known as directory traversal, is a type of security vulnerability that allows an attacker to access files and directories that are outside the intended directory structure. This vulnerability occurs when an application does not properly sanitise user input, allowing attackers to escape the intended directory by manipulating the file path and accessing files stored elsewhere on the system.
Basic path traversal
Imagine you have a web application with the following code:
The code is vulnerable to a path traversal, because the code takes user input from the GET parameter note and inserts it directly into the $file variable without sanitising the value provided by the user. Since the code mishandles the user input, an attacker can perform a path traversal using the dot-dot-slash (../) technique. This attack technique is used to exploit the path traversal so that the attacker can access files outside the intended folder structure.
An example of such a payload:
This payload uses seven dot-dot-slash (../) patterns to go back seven steps from the intended folder structure. In the vulnerable-code example above, the user input is placed in the folder structure (unknown)files/notes, where unknown represents possible unknown subfolders and is the reason why the payload contains seven dot-dot-slash patterns.
If we send this payload to the web application, the variable $file would result in this value:
In this scenario the folders files and notes would be escaped and "cost" two dot-dot-slash patterns. This means that we can still (if they are present) escape five more subfolders.
Path traversal with weak protection mechanism
Sometimes developers add protections against path traversals, but inadvertently leave loopholes in these defences. For instance, if we use the same web application code as above but remove all dot-dot-slash patterns from the user input... (note: str_replace(...))
...Do you see any problem with this?
What would happen if we nested two dot-dot-slash patterns together, such as:
In this situation, only the first dot-dot-slash pattern would be replaced. But since we have two nested dot-dot-slash patterns, once the first is removed, the second one will be triggered and cause the modified payload to exploit the path traversal.
Now you know the basics of how a path traversal vulnerability works, you can test your practical skills on our official challenges.