- Brute Force
- Insufficient Authentication
- Weak Password Recovery Validation
- Credential/Session Prediction
- Insufficient Authorization
- Insufficient Session Expiration
- Session Fixation
3. Client-side Attacks
- Content Spoofing
- Cross-site Scripting
4. Command Execution
- Buffer Overflow
- Format String Attack
- LDAP Injection
- OS Commanding
- SQL Injection
- SSI Injection
- XPath Injection
5. Information Disclosure
- Directory Indexing
- Information Leakage
- Path Traversal
- Predictable Resource Location
6. Logical Attacks
- Abuse of Functionality
- Denial of Service
- Insufficient Anti-automation
- Insufficient Process Validation
The Path Traversal attack technique forces access to files,
directories, and commands that potentially reside outside the web
document root directory. An attacker may manipulate a URL in such a
way that the web site will execute or reveal the contents of arbitrary
files anywhere on the web server. Any device that exposes an HTTP-
based interface is potentially vulnerable to Path Traversal.
Most web sites restrict user access to a specific portion of the file-
system, typically called the "web document root" or "CGI root"
directory. These directories contain the files intended for user access
and the executables necessary to drive web application functionality.
To access files or execute commands anywhere on the file-system,
Path Traversal attacks will utilize the ability of special-characters
The most basic Path Traversal attack uses the "../" special-
character sequence to alter the resource location requested in the
URL. Although most popular web servers will prevent this technique
from escaping the web document root, alternate encodings of the
"../" sequence may help bypass the security filters. These method
variations include valid and invalid Unicode-encoding ("..%u2216" or
"..%c0%af") of the forward slash character, backslash characters
("..\") on Windows-based servers, URL encoded characters
("%2e%2e%2f"), and double URL encoding ("..%255c") of the
Even if the web server properly restricts Path Traversal attempts in
the URL path, a web application itself may still be vulnerable due to
improper handling of user-supplied input. This is a common problem
of web applications that use template mechanisms or load static text
from files. In variations of the attack, the original URL parameter
value is substituted with the file name of one of the web application's
dynamic scripts. Consequently, the results can reveal source code
because the file is interpreted as text instead of an executable script.
These techniques often employ additional special characters such as
the dot (".") to reveal the listing of the current working directory, or
"%00" NUL characters in order to bypass rudimentary file extension
Path Traversal attacks against a web server
Path Traversal attacks against a web application
In the above example, the web application reveals the source code of
the foo.cgi file because the value of the home variable was used
as content. Notice that in this case the attacker does not need to
submit any invalid characters or any path traversal characters for the
attack to succeed. The attacker has targeted another file in the same
directory as index.htm.
Path Traversal attacks against a web application using special-
In above example, the web application reveals the source code of the
foo.cgi file by using special-characters sequences. The "../"
sequence was used to traverse one directory above the current and
enter the /scripts directory. The "%00" sequence was used both to
bypass file extension check and snip off the extension when the file
was read in.
"CERT Advisory CA-2001-12 Superfluous Decoding Vulnerability in IIS"
"Novell Groupwise Arbitrary File Retrieval Vulnerability"
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $99.00 for a second Path Traversal attack vulnerability test.
Other members of our business group:
COPYRIGHT (C) 2000 - 2013 InfoSecPro.com ALL RIGHTS RESERVED