Hello Friends today we will discuss directory traversal attack which is actually widely used by many hackers all over the world it is really a cool concept of website hacking let me give you a brief explanation on it.
Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
What is root directory of web server ?
Root is the specific directory on the web server which contains some core valuable information which the website administrator don't want to show to general visitors.
The outer part (general visiting things )that is always accessible by normal user but there is some restriction on visiting the root part.
As always the web directory path goes with ../ or ..\ (dot dot slash)
The ..\ instructs the system to go one directory up. For example, we are at this location C:\xx\yy\zz. On typing ..\ , we would reach at C:\xx\yy.
Again on typing ..\ , we would rech at C:\xx .
just as simple as it is .
Note : Its ..\ on windows and ../ on UNIX like operating syatem.
I think now most of you have got some idea on it now lets discuss
what is Directory Traversal attack?
Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
The goal of this attack is to access sensitive files placed on web server by stepping out of the root directory using dot dot slash .
What an attacker can do if your site is vulnerable?
With a system vulnerable to Directory Traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even more dangerous, allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system.
Example of a directory traversal attack via web application code?
In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system.
http://test.webarticles.com/show.asp?view=oldarchive.html
With this URL, the browser requests the dynamic page show.asp from the server and with it also sends the parameter "view" with the value of "oldarchive.html". When this request is executed on the web server, show.asp retrieves the file oldarchive.htm from the server's file system, renders it and then sends it back to the browser which displays it to the user. The attacker would assume that show.asp can retrieve files from the file system and sends this custom URL:
http://test.webarticles.com/show.asp?view=
../../../../../Windows/system.ini
This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user. The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.
Example of a directory traversal attack via web server?
Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.
The vulnerability has been fixed in the latest versions of web werver software, but there are web servers online which are still using older versions of IIS and Apache which might be open to directory traversal attacks. Even tough you might be using a web werver software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.
For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be:
http://server.com/scripts/..%5c../Windows/System32/
cmd.exe?/c+dir+c:\
The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command "dir c:\" in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c represents the character "\".
Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute such commands.
How to check for Directory Traversal vulnerabilities?
The best way to check whether your web site & applications are vulnerable to Directory Traversal attacks is by using a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for Directory Traversal vulnerabilities.
I always Suggest you to use Acunetix.
download it from our link full versions :)
Prevention from this attack
1. Proper Use of latest web server software
2. Effectively filter for user's input
Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
What is root directory of web server ?
Root is the specific directory on the web server which contains some core valuable information which the website administrator don't want to show to general visitors.
The outer part (general visiting things )that is always accessible by normal user but there is some restriction on visiting the root part.
As always the web directory path goes with ../ or ..\ (dot dot slash)
The ..\ instructs the system to go one directory up. For example, we are at this location C:\xx\yy\zz. On typing ..\ , we would reach at C:\xx\yy.
Again on typing ..\ , we would rech at C:\xx .
just as simple as it is .
Note : Its ..\ on windows and ../ on UNIX like operating syatem.
I think now most of you have got some idea on it now lets discuss
what is Directory Traversal attack?
Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
The goal of this attack is to access sensitive files placed on web server by stepping out of the root directory using dot dot slash .
What an attacker can do if your site is vulnerable?
With a system vulnerable to Directory Traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even more dangerous, allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system.
Example of a directory traversal attack via web application code?
In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system.
http://test.webarticles.com/show.asp?view=oldarchive.html
With this URL, the browser requests the dynamic page show.asp from the server and with it also sends the parameter "view" with the value of "oldarchive.html". When this request is executed on the web server, show.asp retrieves the file oldarchive.htm from the server's file system, renders it and then sends it back to the browser which displays it to the user. The attacker would assume that show.asp can retrieve files from the file system and sends this custom URL:
http://test.webarticles.com/show.asp?view=
../../../../../Windows/system.ini
This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user. The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.
Example of a directory traversal attack via web server?
Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.
The vulnerability has been fixed in the latest versions of web werver software, but there are web servers online which are still using older versions of IIS and Apache which might be open to directory traversal attacks. Even tough you might be using a web werver software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.
For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be:
http://server.com/scripts/..%5c../Windows/System32/
cmd.exe?/c+dir+c:\
The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command "dir c:\" in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c represents the character "\".
Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute such commands.
How to check for Directory Traversal vulnerabilities?
The best way to check whether your web site & applications are vulnerable to Directory Traversal attacks is by using a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for Directory Traversal vulnerabilities.
I always Suggest you to use Acunetix.
download it from our link full versions :)
Prevention from this attack
1. Proper Use of latest web server software
2. Effectively filter for user's input
No comments:
Post a Comment