Another common web application security flaw is the directory traversal attack. This attack allows an attacker to manipulate the file system structure on a web server. In this video, learn how directory traversal attacks jeopardize the security of web applications.
- [Instructor] Another common web application security flaw is the directory traversal attack. This attack allows an attacker to manipulate the file system structure on a web server. Let's first talk about two important characteristics of Unix Filesystems. When using an Unix Filesystem, a single period references the current directory. Using two periods references the directory one level up in the hierarchy. A directory traversal attack uses these navigation references to try to move up and down the directory structure searching for unsecured files.
They work when an application allows a user to request files stored elsewhere in the file system. We're going to try one of these attacks in the Web Goat environment. First, here's a look at the file structure to help you understand what's happening in the demo. The ThreadSafetyProblem file is the one that we're actually supposed to get with the web application. The tomcat-users file is the one that we want to get our hands on. We're currently in the en directory, so we need to go up four levels to the .extract directory, and from there go down into the conf directory and grad the tomcat-users.xml file.
Here's the path that we'll follow. Four sets of two periods to bring us up to the extract directory, and from there, down to the conf directory and to the target file. Let's try a demo. We're going to use the Web Goat application again. This time, we also need to use another application called ZAP. ZAP is a web proxy that intercepts web requests and lets us modify them. We'll use it to modify a file request to include a directory traversal attack.
Here in Web Goat, you can see we have some lesson plans that we can review. Normally, we'd just click on a file name (clicks mouse) and click view file, scroll down, and see the contents of the file that the application intends to display. Now I'm going to try that again, but before I do, I'm going to go into ZAP and tell it to intercept the request before it is sent to the web server. This time, when I click view file, Web Goat stops the request. And I can go in and edit the file name that's being requested before it's sent to the server.
I'm going to change this to the path that we built together a moment ago. Four sets of two periods, followed by the name of the conf directory, and the tomcat-users.xml file. Then I'm going to go ahead and let the request go. If I now return to the web browser and scroll down, you'll see that instead of the thread safety problem lesson plan, I now have the contents of the tomcat-users file from elsewhere on the web server. Directory traversal attacks are dangerous, because they allow attackers to bypass normal access controls and view sensitive files stored on a web server.
There are two ways you can defend your applications against directory traversal attacks. First, you can use input validation to prevent the inclusion of periods in user requests. Second, you can set strict file system access controls to limit the web server users ability to read sensitive files.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities