What is a directory traversal?
A directory traversal is an HTTP attack that allows attackers to gain access to restricted files. Directory traversal attacks, also known as path traversal, are some of the most common and dangerous attacks that businesses will see.
Key takeaways
- Directory traversal vulnerabilities are enabled by insufficient sanitation, filtration and security of system files or parts of system files.
- When a directory traversal attack is performed, it is usually done by traversing the root directory, which gives the attacker access to specific restricted files.
- Even with all of the preventative measures in place, there will always be a chance that attackers get through to your directories and compromise your networks.
- Sumo Logic’s cloud-native, comprehensive platform helps your team make data-driven decisions and streamline the security investigation process of your networks.
How do directory traversal attacks work?
Securing and running web servers is imperative to the efficacy of any organization, and understanding how directory traversals work in preparation for an attack is the only way to prevent and mitigate vulnerabilities.
The root directory is the top-level directory of a file system, which contains all other directories and files in the system. In other words, the directory structure's starting point defines the location of files, the file path and directories within the file system. In the context of directory traversal attacks or path traversal attacks, the root directory is the starting point that attackers usually traverse to gain unauthorized access to sensitive files and directories on a web server.
Directory traversal vulnerabilities are enabled by insufficient sanitation, filtration and security of system files or parts of system files. A security vulnerability can be found directly within server files or through application code carried out on a web server.
A directory traversal vulnerability, or path traversal vulnerability, gives attackers access to sensitive data that could lead to other attacks within a system. Most attacks are made against or through the root directory, essentially the parameters that users on a server are confined to. When a directory traversal attack, or path traversal attacks, is performed, it is usually done by traversing the root directory, which gives the attacker access to specific restricted files and sensitive information.
These attacks can be made both through a file system vulnerability in the web server or the application code. Attackers exploit these vulnerabilities, submitting URLs that notify the system to send files back to the application. Windows or DOS traversals use the “..\” or “../” patterns to retrieve certain files from a directory, and attackers will repeat the command until they’ve retrieved the intended files. They can then use these files to compromise a system further.
Below, we’ll get into what some directory traversal attacks might look like.
Directory traversal attack examples
This first example from the Open web Application Security Project (OWASP) shows vulnerabilities in an application’s handling of resources:
http://some_site.com.br/get-files.jsp?file=report.pdf
http://some_site.com.br/get-page.php?home=aaa.html
http://some_site.com.br/some-page.asp?page=index.html
Attackers can then insert their root directory patterns to traverse the directory and gain access to new files.
http://some_site.com.br/get-files?file=../../../../some dir/some file
http://some_site.com.br/../../../../some dir/some file
These attacks can compromise systems, sensitive files, and server data.
Attackers can also go after vulnerabilities within the webserver. It would look something like this:
http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php
Although there are other types of attacks, these are the two most common that security teams and organizations will encounter and the two types of traversal attacks you want to be most prepared for.
How do you know if a system has been targeted by a directory traversal attack?
Identifying a directory traversal attack can be challenging, as it can be designed to mimic legitimate requests and vary in complexity. However, some common signs that a directory traversal attack may have targeted your system include:
1. Unusual or unexpected file access or modification: An absolute file path is a complete file or directory path that describes the precise location of a file or directory in a file system. If you notice that files or directories have been accessed or modified without your knowledge or permission, it could be a sign of a directory traversal attack.
2. Suspicious or unexpected URLs: A traversal sequence is a series of characters or strings that an attacker uses to navigate through a file system and access files outside of the web server's root directory. Look for directory traversal sequences with unusual patterns, such as "../" or "../../", commonly used in directory traversal attacks.
3. Error messages or log files: Check your web server error messages or log files for any errors related to file access or directory traversal.
4. Network traffic: Monitor your network traffic for any unusual or suspicious activity, such as a high volume of requests to a specific directory or file.
If you suspect that a directory traversal attack has targeted your system, it is important to take immediate action to prevent further damage. This may include isolating the affected system, performing a thorough security audit and implementing measures to prevent future attacks.
Directory traversal mitigation and prevention
Before we get into how to mitigate a directory traversal, should you be on the receiving end of an attack, let’s cover how you can prevent attacks before mitigation becomes necessary.
A few things you can do to prevent directory traversal attacks/path traversal attacks include:
1) Validate and sanitize all user input to ensure that it conforms to expected values and does not include any malicious directory traversal characters.
2) Configure web servers and applications to restrict access to sensitive files and directories, and access controls should be implemented to ensure that only authorized users have access to sensitive data.
3) Regular security testing, such as vulnerability scanning and penetration testing, can help identify and remediate any vulnerabilities in your system that may be exploited by path traversal attacks.
Even with all of the preventative measures in place, there will always be a chance that attackers will get through to your directories and compromise your networks. Read our ultimate guide to modern SIEM to learn how security information and event management can help minimize the impact of directory traversal attacks.
If you are on the receiving of a directory traversal attack, you can mitigate the damage by:
- Understanding how your OS processes filenames
- Utilizing a security system that will automatically check for SQL injection, directory traversal and other directory vulnerabilities
- Take proactive mitigation efforts by continuously monitoring your network’s traffic
- Create an incident response plan so that when you do identify an attack, you’ll be prepared for it
How Sumo Logic can help
Sumo Logic’s Cloud SIEM solution helps your team make data-driven decisions and streamline the security investigation process of your networks by:
Providing you with real-time analytics that help you identify and resolve potential cybersecurity threats
Enabling your team with machine-learning algorithms provides you with 24/7 alerts and notifications
Allowing you to easily customize your dashboards that align your teams by visualizing logs, metrics and performance data for full-stack visibility
Try a free demo to see how Sumo Logic can help you today.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.