Path Traversal

Technical Description

Path Traversal (also known as Directory Traversal or dot-dot-slash attacks) occurs when an application uses user-supplied input to construct file system paths without adequate validation, allowing an attacker to access files and directories outside the intended directory. By injecting directory traversal sequences like ../, the attacker can navigate the file system hierarchy to read sensitive files, overwrite critical configurations, or in some cases achieve code execution.

The fundamental issue is that the application trusts user input to specify a file path within a restricted directory but does not enforce that restriction:

# Vulnerable file download endpoint
@app.route('/download')
def download():
    filename = request.args.get('file')
    return send_file(f'/var/www/uploads/{filename}')

# Attacker requests: /download?file=../../../etc/passwd
# Server reads: /var/www/uploads/../../../etc/passwd -> /etc/passwd

Path traversal attacks can target various operations:

• File Read: Accessing sensitive files like /etc/passwd, /etc/shadow, application configuration files, source code, database credentials, and private keys.
• File Write: Overwriting configuration files, cron jobs, or SSH authorized_keys to achieve persistence or code execution. Writing web shells to publicly accessible directories.
• File Include: In languages like PHP, path traversal combined with Local File Inclusion (LFI) can lead to code execution when included files are interpreted as code.
• Zip Slip: Archive extraction that writes files to arbitrary locations (CVE-2018-1002200). A zip file containing entries like ../../../etc/cron.d/backdoor can write outside the extraction directory.

Bypass techniques for basic filtering include:

• URL encoding: %2e%2e%2f or double encoding %252e%252e%252f
• Unicode / overlong UTF-8: ..%c0%af or ..%ef%bc%8f
• Null byte injection (legacy): ../../../etc/passwd%00.png
• OS-specific separators: ..\..\.. on Windows
• Path normalization tricks: ....// which becomes ../ after single-pass filtering

Real-World Impact

Path traversal vulnerabilities have led to significant security incidents:

• Fortinet FortiOS (CVE-2018-13379, 2019): A path traversal vulnerability in the SSL VPN web portal allowed unauthenticated attackers to download system files, including session tokens. This was mass-exploited and credentials for over 500,000 VPN devices were leaked, used in subsequent ransomware campaigns.
• Citrix ADC / Gateway (CVE-2019-19781): A path traversal leading to remote code execution affected tens of thousands of internet-facing Citrix appliances. It was exploited within days of disclosure by ransomware groups and nation-state actors.
• Apache HTTP Server (CVE-2021-41773): A path traversal flaw in Apache 2.4.49 allowed access to files outside the document root. Combined with CGI, it enabled remote code execution. The simplicity of exploitation (curl 'http://target/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd') made it a widespread issue.

Path traversal in backup and log endpoints frequently exposes database credentials, API keys, and internal infrastructure details that enable deeper compromise.

Detection Methodology

Testing for path traversal requires creative input manipulation:

1. Parameter Identification: Identify every request parameter, header, cookie, and file upload field that references a file path, filename, or directory. Common parameter names include file, path, doc, page, template, folder, and lang.
2. Traversal Sequence Injection: Test basic sequences (../../../etc/passwd) and escalate to encoded variants, OS-specific separators, and null bytes. On Windows, target C:\Windows\win.ini or C:\boot.ini.
3. Response Analysis: Compare responses between legitimate files and traversal attempts. Look for file contents, different error messages, response length changes, or timing variations that indicate the application is processing the path differently.
4. Absolute Path Testing: In addition to relative traversal, test absolute paths (/etc/passwd, C:\Windows\win.ini) in case the application directly concatenates without a base directory.
5. File Write Testing: Where file upload or write functionality exists, test whether traversal sequences in filenames allow writing outside the intended directory. Test archive extraction for Zip Slip vulnerabilities.

How Revaizor Discovers This

Revaizor’s AI agents excel at identifying path traversal because they combine systematic testing with intelligent bypass techniques:

• Comprehensive Input Mapping: Revaizor identifies every endpoint and parameter that interacts with the file system, including non-obvious vectors like PDF generators, template selectors, language/locale parameters, log viewers, and backup download endpoints.
• Adaptive Bypass Engine: When basic traversal sequences are filtered, Revaizor’s agents systematically escalate through encoding variants, unicode tricks, path normalization bypasses, and OS-specific techniques. The agents observe filter behavior and adapt their payload strategy in real time.
• Cross-Platform Awareness: Revaizor tailors payloads to the detected operating system and web server, targeting OS-specific sensitive files and using the appropriate path separators and encoding techniques.
• Impact Escalation: When path traversal is confirmed, Revaizor targets high-value files: application configuration files containing database credentials, private keys, cloud credentials, and source code. It maps the full blast radius of the vulnerability to communicate risk effectively.

Remediation

Effective path traversal prevention requires multiple layers of defense:

import os

UPLOAD_DIR = '/var/www/uploads'

def safe_file_access(filename):
    # Resolve the full path and verify it stays within the allowed directory
    requested_path = os.path.realpath(os.path.join(UPLOAD_DIR, filename))

    if not requested_path.startswith(os.path.realpath(UPLOAD_DIR)):
        raise PermissionError("Access denied: path traversal detected")

    if not os.path.isfile(requested_path):
        raise FileNotFoundError("File not found")

    return requested_path

// Java - canonical path validation
Path basePath = Paths.get("/var/www/uploads").toRealPath();
Path requestedPath = basePath.resolve(userInput).toRealPath();

if (!requestedPath.startsWith(basePath)) {
    throw new SecurityException("Path traversal attempt detected");
}

Comprehensive prevention measures:

• Canonicalize Then Validate: Always resolve the full canonical (real) path of the requested file and verify it falls within the allowed base directory. This defeats all encoding and traversal tricks.
• Allowlist Filenames: Where possible, map user-supplied identifiers to a predefined set of allowed files rather than using them directly in file paths. Use an indirect reference: {1: "report.pdf", 2: "invoice.pdf"}.
• Strip Path Components: Remove or reject any input containing path separators (/, \), traversal sequences (..), or null bytes before any file system operation.
• Chroot / Container Isolation: Run the application in a chroot jail or container with a minimal file system. Even if traversal succeeds, the attacker can only access files within the restricted environment.
• Least-Privilege File Permissions: Ensure the application process runs with the minimum file system permissions necessary. Application code directories should be read-only. Sensitive system files should be inaccessible to the application user.