A directory traversal attack lets threat actors exploit HTTP weaknesses to gain unauthorized access to restricted files and directories. Also known as “path traversal attacks,” attackers use web server software to bypass inadequate security mechanisms and access directories and files stored outside webroot folders. That allows attackers to compromise entire web servers.

Performing directory traversal attacks let threat actors access application code and data, backend system credentials, and operating system (OS) files. In some cases, attackers can even write arbitrary files or those that don’t go through security checks on the server, allowing them to change application data or behavior and take complete control of a server.

Other interesting terms…

Read More about “Directory Traversal Attack

A directory traversal attack lets threat actors exploit HTTP weaknesses to gain unauthorized access to restricted files and directories. Also known as “path traversal attacks,” attackers use web server software to bypass inadequate security mechanisms and access directories and files stored outside webroot folders. That allows attackers to compromise entire web servers.

Performing directory traversal attacks let threat actors access application code and data, backend system credentials, and operating system (OS) files. In some cases, attackers can even write arbitrary files or those that don’t go through security checks on the server, allowing them to change application data or behavior and take complete control of a server.

Read More about a Directory Traversal Attack

Directory traversal attacks also go by several other names, including “../ (dot dot slash) attacks,” “directory climbing attacks,” and “backtracking attacks.” In such attacks, threat actors seek vulnerabilities in two security mechanisms—the Access Control List (ACL) and the root directory. Let’s define each below.

What Web Server Components Are Compromised in a Directory Traversal Attack?

As mentioned earlier, directory traversal attackers target two folders on a web server. These are:

  • ACL: An ACL is used in the authorization process. Web server administrators utilize this list to indicate the users or groups who can access, modify, or execute specific files on the server. The users or groups in the ACL can also have other access rights. Here’s an example of an ACL:
Source: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81733-contr-acls-rle.html
  • Root directory: The root directory is located in the server file system. It confines all authorized users, which means they cannot access anything outside the root directory. Here’s an example of a root directory:
Source: https://tipsmake.com/what-is-the-root-directory

What Can Directory Traversal Attackers Do to a Vulnerable Site?

Attackers can use a directory traversal attack on a website with inadequate security to step outside the root directory and modify other parts of the file system. Such attacks enable threat actors to view restricted files. That could give them more information to compromise the entire system.

In a directory traversal attack, threat actors execute commands by impersonating users authorized to access the website. Therefore, the attackers need to impersonate the user with the most access rights to succeed.

How Does a Directory Traversal Attack Occur?

To launch a directory traversal attack, threat actors typically follow these steps:

  1. The attackers identify an insufficiently secured web application.
  2. The threat actors use a valid GET request to retrieve and return an expected file from the webserver.
  3. The attackers change a ../ string to retrieve a file outside the root directory.
  4. The GET request gets executed successfully, granting the threat actors access to files containing confidential information.

The diagram below shows the process.

directory traversal attack
Source: https://spanning.com/blog/directory-traversal-web-based-application-security-part-8/

How Do Users Know If Their Site Is Vulnerable to a Directory Traversal Attack?

Using a web vulnerability scanner is the best way to check if your site and web applications are susceptible to directory traversal attacks. Such a tool scans your entire website to check for vulnerabilities. It then reports the weaknesses and tells you how to fix them. A web vulnerability scanner also checks for SQL injection, cross-site scripting (XSS), and other security gaps.

How Do Users Protect against Directory Traversal Attacks?

Website and web application administrators can safeguard against directory traversal attacks by following these best practices:

  • Make sure you have the latest version of your web server software installed. Be sure you also apply all patches.
  • Filter user inputs. That means removing everything but known good data and filtering metacharacters from user inputs. A metacharacter is a character that has a special meaning during pattern processing. Examples of metacharacters include ^ (beginning of line), $ (end of line), and | (or). You can find more metacharacters and their meanings on this page. That will ensure only the characters that you should enter into a field get submitted to the server.
  • Validate user inputs from browsers. Input validation can help make sure attackers can’t use command techniques like SQL injection that violate access privileges and may grant threat actors access to a root directory.
  • Use filters on web applications to block suspicious user inputs. Such filters should block URLs that contain commands and escape codes that attackers commonly use.

Directory traversal attacks are dangerous since they give threat actors full access to your website or web application. They can then steal sensitive information from the web server and even turn your site or application into a malware host.