A web server is no different than a standard computer, but with higher power resources. It stores files on a local device in directories just like a personal device, but server files contain much more sensitive information that can be used in phishing and malware attacks. Sensitive web application files contain keys, secrets, username and passwords, and database connection string information critical to service functionality. Path traversal attacks take advantage of poor web application design and use vulnerable code to retrieve information from these sensitive files. To protect from these attacks, developers must understand how a path traversal attack works and what can be done to secure vulnerable code.
What is a Path Traversal Attack?
If you run a simple WordPress blog with anti-malware software such as WordFence, you’ve probably noticed a “path traversal” notification in your reports. Software such as WordFence blocks these attacks, but custom web applications often have their own procedures for retrieving local file information. In addition to the web application protecting from path traversal attacks, permissions on the server must be set to stop attackers from downloading sensitive files.
Path traversal attacks use either security misconfigurations on the operating system to retrieve sensitive files or cybersecurity vulnerabilities included in application functionality. To understand how a path traversal attack works, consider the following image HTML tag:
< img src=”/images/myimage.png” >
In the tag above, the web application performs a retrieval of the “myimage.pngpek160114_273” file in the “image” directory and displays it in the web browser, but what happens if the image tag contains the following HTML properties?
< img src=”../../../etc/passwd” >
The “passwd” file on Linux contains password hash values that could be valuable to a cyber-criminal during a brute-force attack against administrator passwords. If the server isn’t configured to block this file from web access, this simple request could disclose hash password values.
Luckily, Linux has several permission protections against allowing standard web users from accessing this file, but the “passwd” file is a known critical file that many attackers target. Web applications will often use dynamic file retrieval to display files and other information. This is when path traversal attacks are successful if the right limitations aren’t programmed into the application.
Path Traversal in Vulnerable Web Applications
Web applications often use dynamic file retrieval for several functions. For instance, if you save a file and store it on the corporate server, a PDF will be created and stored on the local corporate network. This location could be on the server, on network storage, or in the cloud. Another example is online forums. Online forum software allows users to upload a custom avatar image used to identify the user account. Because each image is dependent on the user account, forum software dynamically retrieves the avatar file based on the user authenticated into the application.
For example, look at the following URL:
In the above URL, the web application uses the “avatar_image” query string value to retrieve an image file. The example URL retrieves an image for the uploaded user’s avatar. Under normal non-attack situations, the web application expects a png or jpg file located in the forum’s image directory, similar to the following URL:
As an attacker researches a site for potential vulnerabilities, this dynamic retrieval of an avatar image will be tested for possible exploits. If the developer does not account for exploits, then arbitrary files can be retrieved. For instance, an attacker will try the following request:
In the above request, the attacker will determine if the application will retrieve the “passwd” file. If the password file can’t be retrieved, then the attacker will target other application files. The “passwd” file is specific to Linux, but an attacker will target files specific to the server’s operating system and application architecture. Your web server will return the operating system to the attacker unless you configure it to hide these details. The attacker can extrapolate the application architecture and frameworks used from the operating system. For instance, a Windows web server probably runs a .NET application running the .NET framework. An attacker can use this information to launch further attacks including path traversals. .NET applications use a web.config file to store sensitive information, so an attacker might target this configuration file instead on a Windows server.
WordPress scripts commonly use path traversal as an attack scenario. A web server running WordPress software contains a “wp-config.php” file stored on the local drive. This file contains configurations for the application including the database username and password. If you use anti-malware software such as WordFence in your WordPress application, you might see the following information about blocked attacks:
Blocked for Directory Traversal – wp-config.php in query string: file=../wp-config.php
In this notification, WordFence tells you that the attacker was using search features to figure out if your website discloses the wp-config.php file to the public. The following is another example of a WordFence notification for a path traversal attack:
Blocked for Directory Traversal – wp-config.php in query string: img=../wp-config.php
In this notification, the attacker looked for images containing the wp-config.php file, which could indicate that the application is already compromised. If an attacker can include the wp-config.php file in an image tag, then the contents of the file could be disclosed.
Defending Against Path Traversal Attacks
For custom web applications, developers should always define code to defend against these attacks. The way to code the application depends on the nature of the website functionality. If users upload files, always upload them to a specific directory and allow only retrieval of files from the specified directory. Any slashes (“/”) or period (“.”) characters should be filtered out. If you must traverse directories on the server, configure a whitelist of directories in your code and disallow any other directories from query string input.
With out-of-the-box applications such as WordPress, cybersecurity plugins such as WordFence will stop these attacks provided they’re configured to block path traversals. WordPress runs on Windows or Linux environments, and these operating systems block public users from reading contents of critical files.
Finally, you should ensure that the proper permissions are set on files so that web users cannot read their contents. A PHP file is considered an executable, so users should only be able to execute PHP files and not read their code. Any sensitive files should be secured in their own directory, and only the server application can retrieve them.
Path traversal attacks are serious cyber-threats that can lead to full compromise of your server, the database, or the application source code. Never trust query string input implicitly, which means that the application should use several whitelists and validation checks before retrieving files specified in a URL.
At FullHost, our Standard server management with our Managed Cloud Servers includes Web Application Firewall (WAF) protection against directory traversal attacks and many other solutions to keep your server and applications secure, as well as many additional advanced solutions to better customize and tailor suited towards your needs.