Directory traversal

2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities.

📘CompTIA CySA+ (CS0-003)

---

What is Directory Traversal?

Directory traversal is a type of web application attack where an attacker tries to access files and directories on a server that should not be accessible.

• Normally, a web server restricts users to certain folders (called document root).
• Directory traversal allows an attacker to “trick” the server into going outside the allowed folders to access sensitive files.

---

How Directory Traversal Works

1. Web applications often allow users to request files using URLs.
   Example URL:

https://example.com/view?file=report.txt

• Here, report.txt is stored in a specific folder like /var/www/html/files/.

2. An attacker modifies the file path to climb up the directory tree using special symbols:

• ../ in Linux/Unix (means “go up one folder”)
• ..\ in Windows (same meaning)

Example of an attack:

https://example.com/view?file=../../../../etc/passwd

• This attempts to access /etc/passwd on a Linux server (contains user account info).
• If the server doesn’t validate the input, the attacker can read sensitive files, like passwords, configuration files, or database credentials.

---

Why Directory Traversal is Dangerous

• Allows attackers to read sensitive files they should not access.
• Can expose password files, SSH keys, application configs, or API secrets.
• Sometimes can even allow writing files, which could lead to full server compromise.

---

Types of Directory Traversal

1. Basic Traversal – Directly using ../ to go up folders.
2. Encoded Traversal – Attackers encode the path (%2e%2e/) to bypass filters.
3. Double/Multiple Traversals – Using many ../ sequences to reach sensitive directories.

---

How to Detect Directory Traversal

• Security testing tools like Burp Suite, OWASP ZAP, or Nikto can test web apps for traversal vulnerabilities.
• Watch server logs for suspicious patterns like ../ in file requests.

---

Controls to Mitigate Directory Traversal

1. Input Validation
   • Never trust user input.
   • Allow only specific file names or extensions (.txt, .pdf).
   • Reject anything containing ../ or URL-encoded variants.
2. Use Secure APIs
   • Some programming languages provide safe file access functions that prevent access outside a defined folder.
   • Example in Python: use os.path.join and os.path.normpath to control paths.
3. Access Control
   • Ensure files outside the intended folder have strict permissions.
   • Only allow the web server account to read files necessary for the application.
4. Web Server Configuration
   • Restrict the web server to serve files only from specific directories.
   • Disable directory listing to avoid showing available files to users.
5. Logging and Monitoring
   • Monitor logs for suspicious file path requests.
   • Alerts can detect if someone is trying traversal attacks.
6. Patch and Update
   • Keep web servers, frameworks, and applications up to date to prevent known vulnerabilities.

---

Example of Mitigation in IT Environment

• Suppose a server stores user reports in /var/www/html/reports/.
• Allow only filenames in this folder, e.g., report123.txt.
• If someone tries ../../etc/passwd, the application rejects it because input validation blocks unexpected patterns.
• The server process cannot read /etc/passwd because of file permissions.

---

Key Exam Points to Remember

• Directory traversal lets attackers access files outside allowed directories.
• Common symbols: ../ (Linux), ..\ (Windows).
• Mitigations:
  • Input validation
  • Secure APIs
  • Proper permissions
  • Web server restrictions
  • Logging and monitoring
• Think: “Never trust the user. Limit what the server can see.”