Recipe 9-2: Preventing Path-Traversal Attacks
This recipe shows you how to determine when attackers attempt to use path-traversal requests to access unauthorized data.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_42_tight_security.conf
- ModSecurity
- REQUEST_URI variable
- REQUEST_BODY variable
- REQUEST_HEADERS variable
- XML variable
CAPEC-126: Path Traversal
An attacker uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information, the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.
Sample Attacks
Figure 9-1 shows a path-traversal attack that successfully accesses the OS-level /etc/passwd file.
In addition, here are some real-world path-traversal attacks captured from web server honeypot systems:
GET //index.php?option=com_awdwall&controller=../../../../../../../ ../../../../../../../../../../../../../etc/passwd%0000 ...Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
