Directory Traversal vulnerability

Tram Ho

Introduce

This vulnerability allows hackers to access files on your system, generally, this error is widespread and dangerous, if a hacker finds out this vulnerability, then it is only a matter of time before the system is compromised.

If our website is indexed on Google and the URL includes the file path in the query string, then chances are we are advertising the hacker about the vulnerability on our system.  Hackers often use search engines like google to look for vulnerabilities, try searching on google site:<yourdomain.com> inurl:file= to see if any results are returned!

How it works

For example, our website has a function that allows downloading pdf files via query string as follows: foodle.com/menus?menu=arachnaburger.pdf .

Feeling the smell, the hacker will test it by changing the path to foodle.com/menus?menu=../../../../etc/passwd , if the server does not validate the path then the hacker will can access sensitive files, in this example, he has downloaded the passwd file to:

Content:

That’s true, bro, hackers can read important files.

Prevention

  • First and foremost, validate the link tightly.
  • Filter filenames on Parameters
  • Decentralize access, use white list

summary

The above is an overview of Directory Traversal vulnerability, hopefully useful for you. Happy coding!

Share the news now

Source : Viblo