From the course: CompTIA Security+ (SY0-701) Cert Prep

Defending against directory traversal

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Defending against directory traversal

- [Instructor] Directory traversal attacks are another common web application security flaw. These attacks allow the attacker to manipulate the file system structure on the web server. Let's first talk about two important characteristics of file systems. When using a Linux file system, a single period references the current directory, and using two periods references the directory one level up in the hierarchy. A directory traversal attack uses these navigation references to try to move up and down the directory structure searching for unsecured files. These attacks work when an application allows a user to request files stored elsewhere on the file system. We're going to try one of these attacks using a tool called WebGoat. But first, here's a look at the file system that we'll be using in this exercise to help you understand what's happening in the demo. The ThreadSafetyProblem.html file is the one that we're actually supposed to get with the web application. The tomcat-users.xml file is the one that we want to get our hands on. Now, we're currently in the en end directory, so we need to go up four levels to the .extract directory, and then from there, go down into the conf directory and access the target file. Let's try a demo. We're going to use the WebGoat application again. This time, we also need to use another application called ZAP. ZAP is a web proxy that intercepts web requests and lets us modify them. We'll use it to modify a file request to include a directory traversal attack. Here in WebGoat, you can see we have some lesson plans that we can review. Normally, we just click on a file name and click View File. Scroll down and see the contents of the file that the application intends to display. Now I'm going to try that again, but before I do, I'm going to go into ZAP and tell it to intercept the request before it's sent to the web server. This time, when I click View File, WebGoat stops the request and I can go in and edit the file name that's being requested before it's sent to the server. I'm going to change this to the path that we built together a moment ago, four sets of two periods, followed by the name of the conf directory and the tomcat-users.xml file. Then I'm going to go ahead and let the request go. If I now return to the web browser and scroll down, you'll see that instead of the ThreadSafetyProblem lesson plan, I now have the contents of the tomcat-users file from the elsewhere on the web server. Directory traversal attacks are dangerous because they allow attackers to bypass normal access controls and view sensitive files stored on a web server. There are two ways you can defend your applications against directory traversal attacks. First, you can use input validation to prevent the inclusion of periods in user requests. Second, you can set strict file system access controls to limit the web server user's ability to read sensitive files.

Contents