Directory traversal

Unintended disclosure of sensitive files

Directory traversal: the basics

What is directory traversal?

A directory traversal attack aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the filesystem; including application source code, configuration, and other critical system files.

About this lesson

In this lesson, you will learn how directory traversal works and how to mitigate it in your application. You will first use a directory traversal attack to hack a vulnerable web server. We will then explain directory traversal by showing you the backend code of that vulnerable server. Finally, we will teach you how to prevent directory traversal from affecting your code.

Ready to learn? Buckle your seat belts, put on your hacker's hat, and let's get started!

Directory traversal examples DO THIS

Hacking a to-do app

To increase revenue and survive until the next funding round, a company called startup.io decided to create a side product. Since the market for image hosting platforms has recently become a bit saturated, the firm made a call to build an app for managing to-do lists instead.

Sadly, their to-do app is vulnerable to directory traversal attack. Let's use a terminal window and curl to exploit the vulnerability. Our goal is to view the /etc/passwd stored on the backend server.

Directory traversal under the hood

How does directory traversal work?

Essentially, the attack is accomplished by adding characters such as ../ into a URL that serves content from a directory structure. The content is usually served from a base directory, such as /public. An attacker can supply filenames that contain ../ or a URL encoded equivalent %2e%2e%2f. These URLs allow the attacker to break out of the base directory and view files stored in other folders on the filesystem.

To illustrate this, let's jump into the code. Below you will find the getFileSystemPath function, which constructs a filesystem path from the URL. All files and directories returned by getFileSystemPath are served statically by the web server.

A directory traversal attack which shows a hacker sending malicious payload to a server and accessing files which shouldn't be publicly accessible

Directory traversal mitigation

Validate canonical path

The most robust way to prevent directory traversal attacks is to avoid relying on user-supplied input when dealing with the filesystem APIs. Unfortunately, this is easier said than done and might require rewriting a considerable chunk of your application.

A more realistic mitigation mechanism is to prevent the user-supplied directory from being higher up on the filesystem than the directory used to serve static content.

For example, if an application serves files from /wwwroot/public/, any canonical representation of the user requested path must start with /wwwroot/public/. Otherwise, the request could break out of the target directory.

The code example below shows how to normalize the user-supplied path and check whether it starts in the expected directory. To achieve this in JavaScript, use path.normalize or similar.

A directory traversal attack which shows a hacker sending malicious payload to a server, but the malicious access is prevented by verification of the canonical path

import url from "url";
import path from 'path';
const BASE_DIR = '/wwwroot';
export function getFileSystemPath
(inputUrl) {
  const urlPath = url.parse(inputUrl)
.pathname;
  const normalizedPath = path.
normalize(urlPath);
  if (!normalizedPath.startsWith('/
public')) {
    throw new Error('Illegal path 
supplied in the input url: ' + 
urlPath);
  }
  return path.join(BASE_DIR, 
normalizedPath);
}

Verify the input

The path normalization will deal with malicious inputs such as https://todoapp.startup.io/public/../. However, we can still trick it by encoding the . character as %2e. To be fully protected, you need to sanitize your user-supplied data and get rid of unexpected inputs, for instance:

Maintain a set of allowed filesystem paths and compare the user input against that set.
Allow only alphanumeric characters and reject inputs that contain other characters.

If the above measures are impractical, consider disallowing dangerous characters explicitly. For example, the below code removes the URL-encoded characters from the user-supplied input.

import url from "url";
import path from 'path';
const BASE_DIR = '/wwwroot';
export function getFileSystemPath
(inputUrl) {
  let urlPath = url.parse(inputUrl).
pathname;
  urlPath = urlPath.replace(/%2e/ig, 
'.');
  urlPath = urlPath.replace(/%2f|%5c/
ig, '/');
  const normalizedPath = path.
normalize(urlPath);
  if (!normalizedPath.startsWith('/
public')) {
    throw new Error('Illegal path 
supplied in the input url: ' + 
urlPath);

Don't reinvent the wheel: use open-source libraries

Correct sanitization of user input is hard work and requires constant verification against newly discovered ways to bypass known protection methods. In almost all cases, it is a better choice to use a well-maintained open-source library.

For instance, to serve static files in JavaScript, consider using st. Another option is to build your application with web frameworks, such as express, which have built-in support for serving static content.

To decide which libraries to trust, use Snyk Advisor! Snyk Advisor provides information on a given package's popularity, community support, and security. Also, check your open source libraries with vulnerability scanners such as Snyk, which will notify you about all new vulnerabilities discovered in any libraries you are using, and will help you mitigate them easily.

How do you mitigate directory traversal?

To recap, to mitigate directory traversal in your codebase, avoid calling filesystem APIs with user-supplied data as input. If that is not practical, validate that the user-supplied path is a child of the directory which the application serves from. Remember to sanitize the input to prevent malicious payloads from tricking you through techniques such as URL encoding. Finally, instead of writing all the logic yourself, consider using popular open-source libraries which handle things for you.

Bonus: directory traversal in the wild

Directory traversal in st

st is a popular JavaScript library used for serving static files. In its early version, it was vulnerable to directory traversal, which actually posed a serious security threat for the entire NPM ecosystem.

The diff below is from the commit, which added the sanitization to catch directory traversal attempts with URL encoding.

// get a path from a url
Mount.prototype.getPath = function 
(u) {
  var p = url.parse(u).pathname
  p = p.replace(/%2e/ig, '.')
  p = p.replace(/%2f/ig, '/')
  p = p.replace(/%5c/ig, '\\')
  p = p.replace(/^[\/\\]?/, '/')
  p = p.replace(/[\/\\]\.\.[\/\\]/, 
'/')
  u = path.normalize(p).replace(/\\/
g, '/')
  if (u.indexOf(this.url) !== 0) 
return false
  try {
    u = decodeURIComponent(u)
  }
  catch (e) {
    // if decodeURIComponent failed, 

st mitigation explained

Take the code tour to understand the fix.

Keep learning

To learn more about directory traversal, check out some other great content produced by Snyk:

If you want to discover more about the vulnerability present in st, watch our YouTube video and read our blog post.
Read our white paper on Zip Slip, a directory traversal vulnerability that results in remote code execution.
If the white paper got you worried, learn how to mitigate Zip Slip in your code-base with our cheat sheet.

Congratulations

You’ve learned what directory traversal is and how to protect your systems from it. We hope you will apply your new knowledge wisely and make your code much safer. Feel free to rate how valuable this lesson was for you and provide feedback to make it even better! Also, make sure to check out our lessons on other common vulnerabilities.