AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Directory Traversal

The attacker may access sensitive web/application server configuration files, source code or sensitive operating system files by manipulating the File I/O operations executed by the application

Severity

Critical

Fix Cost

Low

Trust Level

High

Executing File I/O API operations are popular in web applications. Some of these file APIs involve in downloading or uploading files to or from the target system. Programming frameworks provide decent file I/O APIs to developers in order to ease the file transfer and process development.

Let the backend code is similar to the following snippet;

                            
using System.IO;
...

String filename = Request["fileName"];
if(File.Exists(@"D:\wwwroot\reports\" + filename))
{
File.Delete(@"D:\wwwroot\reports\" + filename);
}
            
            

The above code takes a parameter from the untrusted user and use it as a file name to check the existence of the file. If the file exists, it gets deleted.

The attacker, providing filename similar to the following


..\Web.Config 

may be able to delete the web.config file of the web application.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two piece of information (code and data) apart, until the runtime. In the above code, mixing the data, as the name of the file coming from the user, and code, as the partial file directory path in the program, result in Directory Traversal. The attacker can potentially manipulate the file name, and access the sensitive information through system files that he can’t access otherwise.

As a side note, the Directory Traversal term is used interchangeably with Path Manipulation and Path Traversal.

Executing File I/O API operations are popular in web applications. Some of these file APIs involve in downloading or uploading files to or from the target system. Programming frameworks provide decent file I/O APIs to developers in order to ease the file transfer and process development.

Let the backend code is similar to the following snippet;

            
String fileName = request.getParameter("file");

if(fileName == null){
  return;
}

File downloadedFile = new File(UploadPath + fileName);

if(!downloadedFile.exists()){
  return;
}
OutputStream out = null;
FileInputStream in = null;
try{
out = response.getOutputStream();
in = new FileInputStream(downloadedFile);
byte[] buffer = new byte[4096];
int length;
while ((length = in.read(buffer)) > 0){
out.write(buffer, 0, length);
}
}
catch(IOException ioe){
// ...
}
            
        

The above code takes a parameter from the untrusted user and use it as a file name to check the existence of the file. If the file exists, its content get read and outputted.

The attacker, providing filename similar to the following


../../../../../../../../../etc/passwd 

may be able to get the /etc/passwd file of the underlying Operating System.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two piece of information (code and data) apart, until the runtime. In the above code, mixing the data, as the name of the file coming from the user, and code, as the partial file directory path in the program, result in Directory Traversal. The attacker can potentially manipulate the file name, and access the sensitive information through system files that he can’t access otherwise.

As a side note, the Directory Traversal term is used interchangeably with Path Manipulation and Path Traversal.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!