What is a path traversal attack or directory traversal attack?

What is a path traversal attack? Understanding the harm it can cause

Path traversal attacks use an affected application to gain unauthorized access to server file system folders that are higher in the directory hierarchy than the web root folder. A successful path traversal attack can fool a web application into reading and consequently exposing the contents of files outside of the document root directory of the application or the web server, including credentials for back-end systems, application code and data, and sensitive operating system files.

Path Traversal is also referred to as directory traversal.

Where can path traversal attacks or directory traversal attacks occur?

Path traversal attacks can also be located in web server software or in application code executed on a server. While not technically gaining root access, an attacker can still use path or directory traversal to gain access to critical data such as passwords, log files, intellectual property, and other sensitive data – all of which can lead to further attacks and compromise.

What are the risks of path traversal attacks?

If successful, a path traversal attack can lead to the following risks:

• Unauthorized data access: Attackers can gain access to sensitive files, such as configuration files, system files, or source code, which may contain credentials for back-end systems, application code and data, and sensitive operating system files.
• Data exfiltration: Attackers may be able to steal sensitive information, leading to data breaches and potential financial or reputational damage.
• Remote code execution: In some cases, path traversal vulnerabilities can be combined with other security weaknesses to allow attackers to execute arbitrary code on the server, potentially leading to complete system compromise.

Examples of path traversal attacks

• Accessing sensitive files: An attacker might use "../" sequences or URL encoding to navigate to restricted directories and access files like "/etc/password" or database configuration files.
• Remote code execution: In some cases, path traversal can be chained with other vulnerabilities to execute arbitrary code on the server.

Detecting path traversal attacks in java applications

• Input validation and filtering: Carefully validate and sanitize user inputs that influence file paths. Java provides libraries and methods for secure input handling.
• Security tools and libraries: Utilize security tools and libraries designed to detect and prevent path traversal attacks. These tools can analyze application behavior, monitor file system access, and identify suspicious patterns.
• Logging and monitoring: Implement robust logging and monitoring mechanisms to track file system activities and detect unauthorized access attempts.

Preventing path traversal attacks in java applications

• Secure coding practices: Follow secure coding guidelines, such as validating user inputs, using parameterized queries, and avoiding direct file path manipulation.
• Principle of least privilege: Restrict application permissions to the minimum necessary, preventing unauthorized access to sensitive files and directories.
• Regular security audits and testing: Conduct regular security assessments and penetration testing to identify and address potential vulnerabilities in Java applications.
• Staying updated: Keep Java applications and libraries up to date with the latest security patches to mitigate known vulnerabilities.

By combining these detection and prevention strategies, Java applications can significantly reduce the risk of path traversal attacks and protect sensitive data.

Detecting path traversal attacks in PHP and protecting PHP applications

Path traversal attacks in PHP often occur due to poor input validation or filtering when data is passed to a function such as file_get_contents.This implies that a key aspect of detecting path traversal attacks in PHP involves scrutinizing the input validation and filtering mechanisms employed within the application.

1. Input Validation and Sanitization:

• Stringent Checks: Implement rigorous checks on user-supplied input to ensure it conforms to expected patterns and doesn't contain malicious character sequences like "../" or URL-encoded equivalents.
• Whitelist Approach: Consider using whitelisting to explicitly define acceptable input values, rejecting any input that doesn't match the predefined criteria.
• Encoding and Decoding: Employ appropriate encoding and decoding techniques to neutralize potentially harmful characters that could be used to manipulate file paths.

2. Security Libraries and Tools:

• Leverage Libraries: Utilize security-focused libraries or frameworks that offer built-in protection against path traversal attacks. These libraries often provide functions for safe file path handling and input validation.
• Security Audits: Conduct regular security audits and penetration testing to proactively identify vulnerabilities in your PHP applications, including those susceptible to path traversal attacks.

3. Error Handling and Logging:

• Error Messages: Carefully craft error messages to avoid divulging sensitive information that attackers could exploit. Generic error messages are preferable to revealing specific file paths or system details.
• Logging: Maintain detailed logs of file system operations, including attempted path traversals. Analyze these logs to detect suspicious patterns and potential attack attempts.

4. Regular Expression Checks:

• Pattern Matching: Employ regular expressions to detect common path traversal patterns, such as "../" sequences or URL-encoded variations. This can help identify and block malicious requests.

5. Runtime Monitoring:

• Behavior Analysis: Utilize runtime monitoring tools to observe the behavior of your PHP application and identify anomalous file system access patterns that may indicate a path traversal attack.

By combining these detection strategies and adhering to secure coding practices, you can significantly enhance your PHP applications' resilience against path traversal attacks. Remember that defense-in-depth is crucial, and a multi-layered approach is often most effective in mitigating this type of security risk.

How do you mitigate and prevent a path traversal attack?

To properly prevent path traversal attacks – and any other vulnerability for that matter – organizations must select AppSec tools and adopt AppSec practices that address the root cause of these AppSec problems. For example, instrumentation-based application security tools embed security within the application and would alert the developer in real time when a practice was being missed or skipped that would allow for a path traversal vulnerability to be introduced. 

Static application scanning could potentially bury this vulnerability under the alert noise that it creates. And, even if the developer got to it, they would have no context to where in the code they need to look to fix. Read more here about the differences between static and interactive application testing. 

Selecting an AppSec tool that surrounds dangerous functions with trust boundaries is another important element to consider in mitigating path traversal vulnerabilities. For example, creating a file is a powerful function that an application needs to be able to perform. That function can be vulnerable to poor input validation or filtering, so you need the assurance of instrumented security to give you protection and peace of mind. 

How contrast security detects path traversal / directory traversal vulnerability

Contrast Security has the only application security tool that addresses the root cause of this path traversal / directory traversal AppSec problem. Contrast Security adopts a zero-trust approach to application security through its Runtime Security product. 

Contrast’s Runtime Security platform unifies IAST (Interactive Application Security Testing), RASP (Runtime Application Self-Protection) and runtime SCA (Software Composition Analysis) into one product. It actively monitors and analyzes application behavior in real time, surrounding dangerous functions with trust boundaries, identifying vulnerabilities in the development and testing phase, and blocking attacks in production. 

We alert the developer when dangerous functions have been invoked without proper sanitization, and we give the developer instant feedback on vulnerabilities. Think of runtime security as adding a security boundary around each application that protects them in production and in the development phase. 

Contrast Runtime Security puts in the right checks, in all the right places, to alert the developers of real vulnerabilities and to alert security teams of real attacks, giving them the full context and insights into the application, the code, the library in use, the vulnerability, and the attack.