Tip

Understanding directory traversal attacks

Jennette Mullaney, Assistant Editor
Cross-site scripting (XSS) and SQL injection strike fear into the heart of the security professional. Any site devoted to Web application security, such as this one, will have a wealth of information about these two exploits. Another input validation attack, directory traversal, is less well-documented.

Yet, it's very popular among hackers. More common than XSS attacks and, in many ways, easier to execute, directory traversal exploits are ravaging the Web. If that seems hard to swallow, consider this. The Symantec Internet Security Threat Report from the last quarter of 20051 lists generic HTTP directory traversal attacks as the second most common attack for the second half of that year. To offer some perspective, buffer overflows were sixth, XSS seventh.

And for the first half of 2005, directory traversal was ranked fourth. Why the rise? Symantec postulates that it is due in part to attack trends. Malicious users are moving away from network attacks and are turning their attentions to Web applications and services.

How it attacks your Web applications
Directory traversal attacks allow malicious users to literally "traverse" the directory and bypass the

    Requires Free Membership to View

access control list to gain access to restricted files and even manipulate data.

These attacks are HTTP exploits that begin with a simple GET or other type of HTTP request from a dynamic page. If your Web site is vulnerable, and chances are it is, the server will return with a file that hasn't been properly validated. A malicious user will then send a request for a file one or more directories up by adding one or more "../" directives to the string. Each "../" instructs the page to "go up one directory."

Here is a code example from the Acunetix Web site:

First there's the request

http://test.webarticles.com/show.asp?view=oldarchive.html
The hacker will notice the .html file extension and realize the site can retrieve files from the file system. He then sends this URL

http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini
The page returns with the formerly restricted file system.ini and displays it to the malicious user.

Why directory traversal attacks are popular
Tom Stracener, senior security analyst for Cenzic Inc., is very concerned about the prevalence or directory traversal attacks and the damage they can inflict. "Directory traversal attacks are easy to automate and require less work on the part of an attacker than a detailed cross-site scripting attack or SQL injection flaws," he said.

Directory traversal attacks are easy to automate and require less work on the part of an attacker than a detailed cross-site scripting attack or SQL injection flaws.
Tom Stracener
Senior security analystCenzic Inc.
There are a variety of directory traversal exploits, Stracener added.

One such variety is the Unicode encoded. The infamous Nimbda virus that infected more than 300,000 computers was enabled by an IIS Unicode encoded directory traversal attack.

The popularity of this type of attack is partially due to the fact that directory traversal attacks are incredibly easy to execute. Dot-dot-slash a few times and you've entered the root directory, seen the forbidden files and maybe even changed a few things around.

Compared to its feared cousins, XSS and SQL injection, directory traversal attacks are less difficult to automate, according to Stracener. These take "more work and coding time," he said. "With cross-site scripting, once you verify a Web application's vulnerability, you have to have some type of attack scenario in mind, which has its own set-up time."

Without expending much time and effort, an attacker can expect a high payoff from a directory traversal exploit. There's no need "to spider or crawl a site," said Stracener, as the attack can be launched against a Web server's root directory. "So an attacker can blast "../../" attacks and verify file access or command execution in short order."

What you can do
To prevent these attacks, it's necessary to sanitize your files. Directory traversal is, after all, a result of poor input validation. For an excellent overview of data validation, see OWASP Guide to Building Secure Web Applications and Web Services, Chapter 12: Data Validation.

There are also tools available to check your Web applications for vulnerabilities. Cenzic's Hailstorm, the Acunetix Web Vulnerability Scanner and the Symantec Enterprise Firewall are three examples.

And this quiz from Palisade Magazine recommends a combination of patching, turning off directory browsing, performing strong input validation with white lists and separating root and virtual directories from system files.

More information
Avoid the hazards of unvalidated Web application input

1. "Symantec Internet Security Threat Report: Trends for July 05 – December 05." Volume IX, March 2006.


This was first published in June 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.