Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
174 views7 pages

Directory Traversal: by Prabhat Kumar Verma 21072019

Directory traversal attacks allow attackers to access files outside of a web application's designated folder structure. This is done by manipulating inputs that specify file paths, such as URLs, to include "../" sequences that cause the file system to traverse up directories. Successful attacks can reveal sensitive information like passwords or server configuration files. To prevent these attacks, web applications should validate all inputs that specify files and remove "../" sequences, and servers should only allow access to authorized folders.

Uploaded by

Prabhat Verma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
174 views7 pages

Directory Traversal: by Prabhat Kumar Verma 21072019

Directory traversal attacks allow attackers to access files outside of a web application's designated folder structure. This is done by manipulating inputs that specify file paths, such as URLs, to include "../" sequences that cause the file system to traverse up directories. Successful attacks can reveal sensitive information like passwords or server configuration files. To prevent these attacks, web applications should validate all inputs that specify files and remove "../" sequences, and servers should only allow access to authorized folders.

Uploaded by

Prabhat Verma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Directory Traversal

BY PR A BH AT K U M A R V ER M A
2 1 0 72 0 19
What is Directory Traversal ?

 
• Directory Traversal refers to an attack through which an attacker may trick a
web application into reading and subsequently divulging the contents of files
outside of the document root directory of the application or the web server .

• Directory Traversal attacks typically manipulate web application inputs by


using the dot-dot-slash sequences, or similar variations (such as  in Microsoft
Windows) to access server file system folders that are higher in the hierarchy
than the web root folder.
• Typically, Directory Traversal attacks are used to gain access to sensitive
information stored within arbitrary files in other areas of a web application
or in other parts of the filesystem that the web server can read. Since files
containing sensitive information may contain secrets such as passwords,
access tokens, or backups, a successful Directory Traversal attack may
allow an attacker to take their observation further or exploit other
application security vulnerabilities.
What does (. . /) or dot dot slash mean?

• The “. . “ instructs the system to go one directory (or folder) up.

for example: we are at this location c:/Apps/games

Now on typing “ . ./ “ we would reach c:/Apps

• To access files or execute commands anywhere on the file-system, Directory traversal attacks
will utilize the ability of special-characters sequences
How does a Directory Traversal Attack work ?

1. Hacker identifies 2. Valid GET


web application SERVER request is used to
with insufficient retrieve and return
validation of browser https://example.com/?file=filename.php an expected file
input from users. from the server.

filename.php 4. GET request is


3. Hacker performed and
. . /. . /. . /. . /etc/passwd
modifies URL hacker is granted
string using “../“ HACKER access to the file
directive in containing sensitive
attempt to information
https://example.com/?file=. . /. . /. . /. . /etc/passwd
retrieve desired without proper
file from a higher validation
directory.
Preventing Directory Traversal Attacks

o Don't store old, sensitive, or otherwise nonpublic files on your web server. the only files that should
be in your documentroot folder are those that are needed for the site to search function properly.

oThe latest versions of the web servers have good directory security by default so, if possible, make
sure you're running the latest versions.

o Remove "..\" and "../" from any input that's used in a file context.

o Ensure that your web server is properly configured to allow public access to only those directories
that are needed for the site to function.
THANK YOU

You might also like