September attack data: Spotlight on path traversal, one of the gnarliest application attack types

The Contrast Security Runtime Security Platform — the engine driving Contrast’s Application Detection and Response (ADR) technology — blocked approximately 55.8K cybersecurity attacks during the month of September 2024. 

Below are the numbers, which include 1) attack types with gasp-worthy frequency but ho-hum impact (they may be pesky, but they’re also easy to swat), such as cross-site scripting (XSS) and bots. As well, the numbers reflect 2) the gnarliest of attacks, which may be small in number but are heinous to detect and block (particularly if you’re using old-school tools that don’t block attacks on applications in production, as does Contrast Application Detection and Response). This type includes any kind of injection attack, for example. 

After that, we’ll shine the spotlight on one of these gnarly attacks, as in, the quiet, subtle ones, as old as a floppy disk, that are difficult to detect because they scurry through your application code, making little noise and leaving little or no trace. If it weren’t for advanced technology like ADR — which sniffs out and can be set to block attempted exploits against vulnerable code — they would be next to impossible to spot. 

The spotlight for the month: path traversal, a legitimate means of performing reconnaissance that can also be used in attacks that can lead to remote code execution (RCE) or ransomware. 

But first, the overall numbers: 

September 2024 attacks blocked by Contrast Runtime Security

• XSS — 17.9K
• Bots — 13.82K
• Method tampering — 6,911
• Path traversal — 4,213
• JNDI injection — 7,489 (Log4Shell)
• OGNL injection — 2,238
• IP denylist — 2,172
• SQL injection — 461
• Unsafe file upload — 372
• Class loader manipulation — 163
• Command injection — 92
• CVE-2021-44228 (Log4Shell) — 12
• Untrusted deserialization — 7

Spotlight: Path traversal

Despite its significance, path traversal doesn’t always receive the attention it deserves. Contrast stopped 4,213 attempts in September: not a big-numbers attack, but one with the potential for a large impact with what could be severe consequences. 

Let’s take a look at what path traversal is, how it works and the potential risks it poses.

Path traversal, also known as directory traversal, is a vulnerability that allows attackers to access files and directories outside of the intended web root. While this often means accessing files higher in the directory structure, it's important to understand that path traversal can also be used to access locations within the web root that should be protected by access controls.

By exploiting vulnerabilities in how an application handles file paths, attackers can craft requests to retrieve files that they shouldn't be able to see. This can include sensitive information like:

• Configuration files: These may contain database credentials, API keys, or other sensitive settings.
• Application code: Exposing source code can help attackers find other vulnerabilities to exploit.
• User data: Attackers might gain access to private user information, such as personal details or financial records.
• System files: In some cases, attackers might even be able to access critical operating system files.

Therefore, path traversal is not just about "breaking out" of the web root, but about bypassing any restrictions on file access within the server's file system.

What is path traversal

At its core, path traversal is about bypassing any restrictions on file access within the server's file system. This web security vulnerability allows attackers to manipulate and navigate the file system of a web server. Normally, when users interact with a web application, they’re restricted to a predefined directory: typically, the root of the website. Path traversal occurs when an attacker manages to move outside of that directory by manipulating file paths, often using techniques such as the `../` sequence (dot-dot-slash), URL encoding and null byte injection.  

For example, imagine a web application that allows users to retrieve images stored on a server. The application may use a file path like “/images/picture.jpg” to access the image. With a path traversal vulnerability, an attacker could manipulate the file path to something like “../../../etc/passwd”, tricking the server into retrieving sensitive files from outside the intended directory.

How is path traversal exploited?

Path traversal is rarely the sole issue in an attack. Rather, it’s often one part of a larger exploit chain. Attackers use path traversal as an entry point to access sensitive data or gain unauthorized control over a system. This vulnerability often paves the way for more severe exploits, such as:

• Data exfiltration, corruption or ransomware attacks: Once an attacker gains access to the file system, they can plant malicious code, such as ransomware, which can exfiltrate, corrupt or encrypt files and demand payment for their release.
• Remote code execution (RCE): By exploiting path traversal, attackers can gain access to files that were never intended to be public, potentially leading to the execution of malicious code on the server.
• Denial of service (DoS): Attackers could use path traversal to delete or overwrite important system files, configuration files or user data, causing the application or even the entire server to crash.
• Privilege escalation: If the server stores SSH keys in a predictable location, attackers could use path traversal to retrieve them. This could allow them to gain SSH access to the server with higher privileges.

In other words, path traversal vulnerabilities are often the stepping stones used to initiate larger attacks. Note that you might not see path traversal explicitly cited in many breach reports, given that such reports tend to focus on the final outcome of the exploit: e.g., data theft or malware installation.

Challenges in detecting path traversal

Detecting path traversal can be tricky. Web application firewalls (WAFs) are designed to block such attacks, but they often flag any request that looks suspicious, resulting in a lot of noise. For instance, simply seeing a `../` in a request could trigger a WAF alert. However, this doesn’t always mean an actual attack is taking place, as these alerts could be false positives.

A WAF shouldn’t be your only line of defense.
Read how to use ADR with your WAF for true application defense in depth. 

ADR systems can provide better visibility by tracking whether the malicious request actually results in unauthorized access. While WAFs might detect the attempt, ADR systems can determine if the attack successfully reached the file system and posed a genuine threat.

Recent breaches that exploited path traversal flaws 

Path traversal has been a key player in a handful of recent high-profile breaches. In 2021, a vulnerability in the Accellion File Transfer Appliance allowed attackers to steal sensitive data from organizations including the investment banking firm Morgan Stanley and U.C. Berkeley, among others. 

More recently, the July 2023 MOVEit file transfer software cyberattacks and data breaches, with a list of victims that included the likes of the BBC, Aer Lingus, British Airways and Zellis, a prominent UK payroll provider, and is estimated to have cost companies over $12 billion. 

While the primary vulnerability in the MOVEit breach was a SQL injection flaw, attackers leveraged path traversal to gain further access to MOVEit Transfer servers and steal data. 

The MOVEit incident highlights how path traversal can be a dangerous secondary attack vector, expanding the impact of an initial compromise.

These examples underscore the seriousness of path traversal, even if it’s not always explicitly mentioned in reports. The relative lack of publicized incidents shouldn’t downplay its significance in Application Security (AppSec). In fact, according to the National Vulnerability Database (NVD), there are over 5,200 known directory and path traversal vulnerabilities in popular software today.

How ADR stomps out path traversal

To effectively combat path traversal, organizations need to adopt a robust ADR system. As mentioned earlier, WAFs can detect the initial signs of a path traversal attack but often fail to assess whether the attack has actually succeeded. This is where ADR systems come into play.

Example of Contrast blocking path-traversal attacks

As shown in the image above, ADR systems not only detect path traversal attempts but also determine whether they led to actual file access or data extraction. This level of visibility is crucial for security teams, as it helps them prioritize their response efforts. Instead of wasting time investigating false positives, they can focus on the genuine threats that require immediate action.

False positives + false negatives = real costs

Additionally, ADR systems provide insights into which parts of the application or file system are most frequently targeted by attackers. This information helps security teams understand where their defenses might be weak and where they should focus their efforts to strengthen their overall security posture.

Conclusion

While it might not always be front and center in breach reports, path traversal  often serves as the starting point for more significant exploits, such as ransomware attacks and RCE. Organizations need to ensure they have the right tools in place — such as Application Detection and Response systems — to detect, analyze and respond to path traversal attempts effectively.

As the cybersecurity landscape continues to evolve, understanding vulnerabilities like path traversal will become increasingly important for protecting sensitive data and maintaining a strong security posture. By staying informed and proactive, organizations can reduce their risk of falling victim to these types of attacks.

Read more:

• ADR white paper: The Case for Application Detection and Response (ADR) 
• Contrast explainer video: Contrast Application Detection and Response (ADR)
• Contrast demo video: Contrast Security ADR Demo
• Contrast press release: Contrast Security Application Detection and Response (ADR) Praised by Industry Analysts for Addressing Gap in Cybersecurity Defenses 
• Contrast press release: Contrast Security Introduces Application Detection and Response (ADR) to Identify and Block Attacks and Zero Days on Applications in Production 
• Contrast glossary: What is ADR?
• Contrast blog: Why Contrast Security is making the case for Application Detection and Response (ADR)
• Contrast blog: Contrast Security founder Jeff Williams explains how to fix AppSec in production
• Contrast blog: 5 ways Contrast Security ADR closes the gap in protection for apps & APIs
• Contrast blog: Understanding ADR’s detection and response layers
• Contrast blog: Why application detection and response is sparking excitement in cybersecurity
• Contrast blog: August attack data: A look beyond the numbers
• Contrast blog: Anatomy of an attack
• Contrast blog: Analyst: Application Detection and Response is an ‘emerging category’