Dot dot slash attack has many names like path traversal, directory traversal. This means server allows an attacker to read a file with sensitive information or travel to other directories within the server. I will try to make it very simple to understand this weakness/vulnerability.
Let’s see what is the real threat here. We have a web application hosted on a Linux server. Some important files which get attackers attention are listed here (http://www.dba-oracle.com/linux/important_files_directories.htm)
So, we will take /etc/shadow file for example. This file has the user password stored in encrypted format who has login access in our server. If we have the path traversal weakness in our machine. Then the attacker can easily read the file and log in to our server.
We may think about how the attacker knows the exact location of these files. That’s why this attack is called a dot dot slash attack. If this is Linux we use (..) to jump one directory down.
Also Read : URL Redirection – Prevention and Detection of Malicious Redirects
For example:
We are in /home/user directory. If we want to come out of the user directory we will use the command (cd . .) Same works with path traversal weakness too. It is just a matter of time for the attacker to determine or locate the right file in the server.
Now, we will look at how a web server works in delivering content. The web server will read the source by receiving commands from the code. For instance, we have a URL, www.example.com/src. When there is a request submitted to the server to the src location. The web server will reach the deployed location first which will be /var/www/html/src. Once it reached the location, it will work according to the commands. If a request submitted by the attacker looks like this www.example.com/../../../etc/passwd, then the webserver will go 3 directories back /var/www/html and open the /etc/passwd file in the web browser. The attacker will submit multiple requests until the way is found to reach the sensitive files.
Detection:
- Check for the Regex pattern **/**/ in the URI path and the HTTP status code is 200 ( successfuly ) or 302 ( Redirected and landed on different page )
- Some of web servers 404 errors will leave attackers a information on web server version details. So Hide and secure the server banner messsages.
- Check the vulnerablity scanner results such that application is vulnerable to traversal vulnerablity.
- If it is vulnerable , Create a WAF rule to block traffic on the specfic patterns and give a SLA for development and server team to fix the issue at earliste.
- Keep an eye on your WAF ( Web application Firewall ) , Because day to day lots of WAF rules evasion techniques are released.
- If WAF is getting Bypassed and vulnerability can be successfully exploited by attacker , there is a high chances of compromises to other web components moving forward.
Prevention:
- Golden rule, never trust user input. Check the input against your business logic and allow if its expected request value.
- If there is necessity or business need for you to open paths from user input, map a integer for a file and allow it after checking that its free from attack request.