Traversal attacks: How to secure against them

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Threat modeling Web application security and the PCI DSS The essentials of Web application threat modeling How to implement security in Java EE and Java ME Application security shouldn't involve duct tape, Band-Aids or bubble gum Stop SQL injection attacks on applications How to counter XSS attacks Breaking the same origin barrier of JavaScript Protection against "zero-minute" exploits Denial of service and Ajax CSRF attack vector with Ajax serialization Software security testing and techniques Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science'

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Path traversal and directory traversal are more or less synonymous. This attack technique is used to exploit Web sites by accessing files and commands beyond the intended scope of user access. Most Web sites restrict user access to a specific portion of the file-system, typically called the document root directory or CGI root directory. These directories contain the files and executables intended for public use. A user should not be able to access any files beyond this point. The WASC Web Security Threat Classification has more information on the subject.

Here are some solutions:

1. Ensure the user level of the Web server or Web application is given the least amount of read permissions possible for files outside of the Web document root. This also applies to scripting engines or modules necessary to interpret dynamic pages for the Web application.

2. Normalize all path references before applying security checks. When the Web server decodes path and file names, it should parse each encoding scheme it encounters before applying security checks on the supplied data and submitting the value to the file access function.

   In many cases, the path and file name can be safely reduced to a subset of 7-bit ASCII characters even though the operating systems supports extended encodings. Be aware of systems that (incorrectly) reduce Unicode characters to ASCII equivalents, such as Windows' interpretation of U+2216 (intended as a mathematical operator) as a slash character.

3. When possible, refer to absolute path names for files, directories and commands using constants in the source code of the Web application. This prevents variables from being exposed to the user and altered or overwritten by user input.

4. If file names will be passed in URL parameters, then restrict all user-accessible files to a single directory that does not include dynamic script files. Use a global constant to set this base path.

   Prefix the base path to all file requests in order to prevent attacks from accessing files outside the Web document root. This is more restrictive than setting the base path to the Web document root and will prevent attackers from viewing the source code of dynamic scripts.

5. If file names will be passed in URL parameters, then use a hard- coded file extension constant to limit access to specific file types. Append this constant to all file names. Also, make sure to remove all NULL-character (%00) sequences in order to prevent attacks that bypass this type of check. (Some interpreted scripting languages permit NULL characters within a string even though the underlying operating system truncates strings at the first NULL character.) This prevents directory traversal attacks within the Web document root that attempt to view dynamic script files.

6. Validate all input so that only the expected character set is accepted (such as alphanumeric). The validation routine should be especially aware of shell meta-characters such as path-related characters (/ and ) and command concatenation characters (& for Windows shells and semi-colon for Unix shells). Set a hard limit for the length of a user-supplied value. Note that this step should be applied to every parameter passed between the client and server, not just the parameters expected to be modified by the user through text boxes or similar input fields.

7. Depending on your environment consider using a chroot jail for the Web server directories. This will virtually remove all upper-level file-system access even if the Web server or Web application is found to be vulnerable.

• Understanding directory traversal attacks


• Hacking Exposed Web Applications, Second Edition – Chapter 6: Input Validation Attacks