Hello my fellow noob! Today we are going to learn what is Path/Directory Transversal Attack and the security risks associated with it.
Directory transversal is a an attack which can give read only access to directories and files lying on the web server to an attacker.
It may sound like LFI but its different.
You can execute files with LFI but you can’t do the same with directory transversal attack. As the name suggests, directory transversal gives access files as well as directory which isn’t possible with LFI.
Directory/Path Transversal Attack : Detection
Look at these two URLs:
Which one looks like a potential target to you? First one? Good try.
Well both of them can be targeted, like this:
Ummm lets try a real world example so you can understand better.
Here’s webpage which is prompting us for a download:
Its URL is:
Now lets remove download.php?id=159 from the URL and URL will become:
Here we go!
Damn! Can you see that? We can upload files on the server right away.
Now lets shorten the URL even more,
As soon as I visited this URL, I got redirected to the admin panel of this poor website.
Directory transversal is fun, isn’t it?
Many directory transversal vulnerabilities may show up like this as well:
Now lets remove /download.php from the URL
We have the index of their directories and files. We can browse through the file system by using this interface.
So this is the first case! We just altered the path present in the URL and got juicy pages!
Now lets take a look at second case, a case where you have no idea about the path like LFI.
Exploitation of this kind of URL is as same as LFI so you can refer to my in depth article about Local File Inclusion.
Here are some techniques to bypass filters that aren’t mentioned in that LFI article:
Try %2f instead of / and %5c instead of \
Try using 16-bit Unicode encoding (. = %u002e, / = % u2215, \ = % u2216)
Try double URL encoding (. = %252e, / = %252f, \ = %255c)
Try overlong UTF-8 Unicode encoding (. can be %c0%2e, %e0%40%ae, %c0ae, / can be %c0%af, %e0%80%af, %c0%2f, etc, \ can be %c0%5c, %c0%80%5c)
Lets say there’s filter which appends .jpg at the end of value in parameter.
will be processed as example.com/view.php?load=lion.jpg
So /etc/passwd will be processed as /etc/passwd.jpg which will result in error.
We can bypass this by injecting newline (
%0a) or null byte (
%00) character like this:
If the filter is removing / you can try // so the filter will be bypassed if it doesn’t check recursively. You can use \ instead of / in case of windows.
So thats pretty much all that I had in my mind.
I hope you enjoyed this tutorial.
Also Read: List of All Web Application Attacks