Directory Traversal: Beyond ../

TL;DR

Yes, other sequences can achieve directory traversal besides ../. This guide explains these methods for both *nix (Linux/macOS) and Windows systems, along with how to prevent them.

Understanding Directory Traversal

Directory traversal attacks exploit vulnerabilities where user-supplied input is used to construct file paths without proper validation. The goal is to access files or directories outside the intended root directory. While ../ is common, it’s not the only way.

*nix Systems (Linux/macOS)

1. Absolute Paths: If your application allows users to specify a full path, they can bypass restrictions.
   • Example: Instead of expecting images/profile.jpg, an attacker might provide /etc/passwd.
2. Relative Paths with Multiple Components: Using multiple ../ sequences can move up several directories.
   • Example: ../../../../etc/passwd
3. Path Normalisation Issues: Some systems might not correctly normalise paths, leading to unexpected behaviour. This is less common now but worth knowing.
   • Symbolic links can be exploited if the application follows them without checking their destination.
4. Encoded Paths: Attackers may use URL encoding (e.g., %2e%2e/ for ../) or other encoding schemes to bypass basic filters.
   • Example: An attacker might try images/%2e%2e/etc/passwd
5. Globbing Characters: Wildcards like * and ? can sometimes be used to traverse directories, depending on the application’s handling.
   • Example: If an application allows images/*.jpg and doesn’t sanitise input, it might be possible to craft a malicious pattern.

Windows Systems

1. Absolute Paths: Similar to *nix, providing a full path bypasses restrictions.
   • Example: Instead of expecting imagesprofile.jpg, an attacker might provide C:Windowssystem32driversetchosts
2. Relative Paths with Multiple Components: Using multiple .. sequences.
   • Example: ../../../../Windowssystem32driversetchosts
3. Short File Names (8.3 Filenames): Windows creates short names for long filenames. Attackers might try to use these.
   • Example: If a file is named verylongfilename.txt, its short name might be VERYLO~1.TXT.
4. Encoded Paths: Similar to *nix, URL encoding or other encoding schemes can bypass filters.
   • Example: An attacker might try images%2e%2e%5cetchosts. Note the use of %5c for backslash.
5. UNC Paths (Universal Naming Convention): Attackers can attempt to access network shares.
   • Example: \serversharefile.txt

Prevention Strategies

1. Input Validation: The most important step! Never trust user input.
   • Whitelist Approach: Only allow specific characters and file extensions. Reject anything else.
   • Blacklist Approach (Less Reliable): Block known malicious sequences like ../, .., absolute paths, etc. This is harder to maintain as attackers find new ways around it.
2. Path Normalisation: Use built-in functions to canonicalise the path before using it.
   • *nix: realpath() in C/C++, or equivalent functions in other languages.
   • Windows: GetFullPathName() in C/C++.
3. Chroot Jails (Linux): Confine the application to a specific directory, preventing access outside it.
4. Least Privilege: Run the application with the minimum necessary permissions.
5. Regular Security Audits and Penetration Testing: Identify vulnerabilities before attackers do.