Cross-site scripting (XSS) and SQL injection strike fear into the heart of the security professional. Any site devoted to Web application security, such as this one, will have a wealth of information about these two exploits. Another input validation attack, directory traversal, is less well-documented.
Yet, it's very popular among hackers. More common than XSS attacks and, in many ways, easier to execute, directory traversal exploits are ravaging the Web. If that seems hard to swallow, consider this. The Symantec Internet Security Threat Report from the last quarter of 20051 lists generic HTTP directory traversal attacks as the second most common attack for the second half of that year. To offer some perspective, buffer overflows were sixth, XSS seventh.
And for the first half of 2005, directory traversal was ranked fourth. Why the rise? Symantec postulates that it is due in part to attack trends. Malicious users are moving away from network attacks and are turning their attentions to Web applications and services.
How it attacks your Web applications
Directory traversal attacks allow malicious users to literally "traverse" the directory and bypass the access control list to gain access to restricted files and even manipulate data.
These attacks are HTTP exploits that begin with a simple GET or other type of HTTP request from a dynamic page. If your Web site is vulnerable, and chances are it is, the server will return with a file that hasn't been properly validated. A malicious user will then send a request for a file one or more directories up by adding one or more "../" directives to the string. Each "../" instructs the page to "go up one directory."
Here is a code example from the Acunetix Web site:
First there's the request
The hacker will notice the .html file extension and realize the site can retrieve files from the file system. He then sends this URL
The page returns with the formerly restricted file system.ini and displays it to the malicious user.
Why directory traversal attacks are popular
Tom Stracener, senior security analyst for Cenzic Inc., is very concerned about the prevalence or directory traversal attacks and the damage they can inflict. "Directory traversal attacks are easy to automate and require less work on the part of an attacker than a detailed cross-site scripting attack or SQL injection flaws," he said.
There are a variety of directory traversal exploits, Stracener added.
One such variety is the Unicode encoded. The infamous Nimbda virus that infected more than 300,000 computers was enabled by an IIS Unicode encoded directory traversal attack.
The popularity of this type of attack is partially due to the fact that directory traversal attacks are incredibly easy to execute. Dot-dot-slash a few times and you've entered the root directory, seen the forbidden files and maybe even changed a few things around.
Tom StracenerSenior security analystCenzic Inc.
Compared to its feared cousins, XSS and SQL injection, directory traversal attacks are less difficult to automate, according to Stracener. These take "more work and coding time," he said. "With cross-site scripting, once you verify a Web application's vulnerability, you have to have some type of attack scenario in mind, which has its own set-up time."
Without expending much time and effort, an attacker can expect a high payoff from a directory traversal exploit. There's no need "to spider or crawl a site," said Stracener, as the attack can be launched against a Web server's root directory. "So an attacker can blast "../../" attacks and verify file access or command execution in short order."
What you can do
To prevent these attacks, it's necessary to sanitize your files. Directory traversal is, after all, a result of poor input validation. For an excellent overview of data validation, see OWASP Guide to Building Secure Web Applications and Web Services, Chapter 12: Data Validation.
Avoid the hazards of unvalidated Web application input
There are also tools available to check your Web applications for vulnerabilities. Cenzic's Hailstorm, the Acunetix Web Vulnerability Scanner and the Symantec Enterprise Firewall are three examples.
And this quiz from Palisade Magazine recommends a combination of patching, turning off directory browsing, performing strong input validation with white lists and separating root and virtual directories from system files.
1. "Symantec Internet Security Threat Report: Trends for July 05 – December 05." Volume IX, March 2006.