Download to read offline
More Related Content
![DotDotPwn v3.0 [GuadalajaraCON 2012]](https://cdn.slidesharecdn.com/ss_thumbnails/dotdotpwnv3-0guadalajaracon-120508160418-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
More from penetration Tester
Directory traversal
- 1. freegoogleslidestemplates.com DOT-DOT-SLASH DIRECTORY TRAVERSAL BACKTRACKING DIRECTORYCLIMBING Path Traversal An Introductin
- 2. ● ApathtraversaL attackaimsto access fiLes anddirectories that are stored outsidethe webroot foLder. It shouLd benoted that access to fiLes is Limited bY SYStem operationaL access controL (SUCh as inthecase of Lockedor in-use fiLes ontheMicrosoft Windowsoperating sYStem). ● To access fiLes or execute commandsanYwhere on the fiLe-sYStem, Path traversaL attacks utiLize theabiLitY of speciaL Characters sequences. WHAT IS PATH TRAVERSAL ATTACK?
- 3. WHAT IS ADIRECTORY? ● In computing, a directorY is a fiLe sYStem cataLoging structure whichcontains references to other com puter fiLes, and possibLY other directories. ● Thetop-most directorY in such a fiLesYStem, whichdoes not havea parent of its own,is caLLedtheroot directorY. ● RootDirectorY –ThisdirectorY isLocatedintheserver fiLesYStemandusers simpLY can’t access sensitive fiLes above this root. Onesuch exampLeis the sensitive cmd.exe fiLeonWindowspLatforms, whichrests intheroot directorY that not everYonecan access.
- 4.
- 5. ● The“..”instructs thesYStem to go onedirectorY (or foLder) up. For exampLe: weare at this Location C:/Apps/Games Nowon tYping “../”,wewouLd reachC:/Apps Toaccess fiLes or executecommandsanYwhereon theFiLe-sYStem,PathTraversaL attacks w iLL UtiLize theabiLitY of speciaL-characters sequences. What does ../ or .. (dot dot slash) mean?
- 6. Encoding anddoubLeencoding ● Mostwebservers prevent ‘../’ technique from escaping the webdocument root, aLternate encodings of the"../" sequencemaY heLpbYpass thesecuritY fiLters ● These methodvariations incLUde vaLid and invaLid Unicode-encoding ("..%u2216" or "..%c0%af") of theforwardsLashcharacter, backsLashcharacters ("..") onWindows-basedservers, URL encodedcharacters "%2e%2e%2f"),anddoubLeURLencoding("..%255c") of thebacksLash character ● This attack technique consists of encoding user request parameters twice in hexadecimaL format inorder to bYpass securitY ControLS or cause unexpectedbehavior fromthe appLication. It's possibLebecause thewebserver accepts and processes cLient requests in manY encoded forms.
- 7. %2e%2e%2f ../ %2e%2e/ ../ ..%2f ../ %2e%2e%5c.. %2e%2e .. ..%5c .. %252e%252e%255c .. ..%255c .. Encoding anddoubLeencoding % 2e = . %2f = / % 5c = % 252e= . % 255c =
- 8. ● Therewasa serioussecuritY VULnerabiLitY inthe BeLkin N150wireLess router that can enabLea remote, unauthenticatedattacker to read anY SYStemFiLeon a vuLnerabLerouter. ● BeLkin N150wireLess router firmware versions 1.00.07 andearLier containa path traversaL VULnerabiLitY throughthebuiLt-in webinterface. Thewebproccgi moduLeaccepts a getpageparameter whichtakes an unrestricted fiLe path as input.Thewebserver runs withroot priviLegesbYdefauLt,aLLowingamaLicious attacker to read anY fiLeonthe sYStem
- 9.
- 10. Howto prevent PathTraversaL attacks?
- 11. ● Don’t storeoLd,sensitive, or otherwisenonpubLicfiLes onYour webserver. TheonLY fiLes that shouLdbeinYour /htdocs or DocumentRootfoLderare thosethat are neededfor thesite to function properLY. ● TheLatest versions of the webservers havegood directorY SecuritY bY defauLt so, if possibLe, makesure You’re running the Latest versions. ● EffectiveLY FiLter anY USer input. IdeaLLY remove everYthing but the known good data and fiLter metacharacters fromtheuserinput.This wiLL ensurethat attackers cannot use commands that Leave the root directorY or vioLate other access priviLeges. ● Remove“..” and “../” from anY input that’s used in a fiLe context. ● Ensure that Your webserver is properLY Configured to aLLow pubLic access to onLY those directories that are neededfor the site to function.