Directory traversal
As directory traversal (or forceful browsing ) refers to a vulnerability in a Web server or a Web application by typing in the URL can be accessed files and directories that were it not actually provided. Possible targets are files with sensitive data such as address data , credit card numbers or passwords .
Details
Normally, files on a web server outside of the web directory or its subdirectories should not be accessible from outside. In a directory traversal attack, an attacker tries to access files outside of these directories using manipulated path information.
Fundamental to this attack is that by specifying ../yourself in the directory structure you move one level up or to /the root of the directory structure.
execution
By analyzing the web application, the attacker tries to obtain information on how parameters and called URLs are evaluated. This can be dynamic form data, which are insufficiently checked, as well as static documents. In the case of documents, the process is quite simple. Is z. If, for example, a document with the name “Jahresbericht_2008.pdf” is on the server and this is http://firma/berichte/Jahresbericht_2008.pdfreferenced by the URL , the attacker could conclude that documents also exist for other years and check this by querying the appropriately modified URL. Backups or old versions of scripts that may contain sensitive data can also be targeted . A PHP script "database.php" can e.g. B. contain the access data to a database management system. This data is not sent to the user, but only used internally by the interpreter to connect to the database. However, if there is a backup of this file under the name “database.php.bak”, the content of the file may be recognized as plain text and sent directly to the user, who then sees the access data in plain text.
The manipulation of parameters works in the same way. If, for example, a user receives http://bank/kontostand?nr=12345his own account data displayed under a URL , he could try to obtain the data on external accounts by changing the account number in the URL. For this attack to work, however, it must be assumed that the application does not check the parameter to the extent that the user also has the right to perform this action.
example
A URL looks like this:
http://www.example.com/index.foo?item=datei1.html
The itemargument is used to specify a file that is to be output. If the index.foo script does not adequately check the argument value, a directory traversal vulnerability exists.
An attacker can now specify a different file, which can also be located in a completely different directory, since you can go up one directory level in a path by specifying ../. Assuming the web directory is three directory levels deep on the C: drive , the following URL would output the C: /Config.sys file on a Windows web server if the index.foo script has read access to this file.
http://www.example.com/index.foo?item=../../../Config.sys
The exact directory depth is usually not known to an attacker, but can then be determined by trial and error.
If the web server itself is vulnerable, not only can any files be read, but any applications can also be called, for example through:
http://www.example.com/index.foo?item=../../../Windows/System32/cmd.exe?/C+dir+C:\
Simply ../looking for a path as a countermeasure is not enough. It must also be taken into account that individual characters could be replaced by URL encoding . (For example, %2e%2e%2fin a URL does exactly the same thing as ../.)
Legal position
Germany
In Germany, this type of attack is in a legal gray area. In particular, if the attacker gains use from the data, there is a criminal offense - even if the creator has apparently put the data publicly on the Internet .
Web links
- Federal Office for Information Security (BSI): Catalog of measures and best practices for the security of web applications (PDF; 884 kB)