A directory traversal is an HTTP attack that allows attackers to gain access to restricted files. Directory traversal attacks, also known as path traversal, are some of the most common and dangerous attacks that businesses will see.
Securing and running web servers is imperative to the efficacy of any organization, and understanding how directory traversals work in preparation for an attack is the only way to prevent and mitigate vulnerabilities.
Directory traversal vulnerabilities
Directory traversal vulnerabilities are enabled by insufficient sanitation, filtration, and security of system files or parts of system files. Vulnerabilities can be found directly within server files or through application code carried out on a web server.
These vulnerabilities give attackers access to restricted files that could lead to other attacks within a system.
How do directory traversal attacks work?
Most attacks are made against or through the root directory, which is essentially the parameters that users on a server are confined to. When a directory traversal attack is performed, it is usually done by traversing the root directory, which gives the attacker access to specific restricted files.
These attacks can be made both through vulnerabilities in the web server or the application code. Attackers exploit these vulnerabilities by submitting URLs that notify the system to send files back to the application. Windows or DOS traversals use the “..\” or “../” patterns to retrieve certain files from a directory, and attackers will repeat the command until they’ve retrieved the intended files. They can then use these files to further compromise a system.
Below we’ll get into what some directory traversal attacks might look like.
Directory traversal attack examples
This first example from the Open web Application Security Project (OWASP) shows vulnerabilities in an application’s handling of resources:
Attackers can then insert their root directory patterns to traverse the directory and gain access to new files.
http://some_site.com.br/get-files?file=../../../../some dir/some file
http://some_site.com.br/../../../../some dir/some file
These attacks can compromise systems, sensitive files, and server data.
Attackers can also go after vulnerabilities within the webserver. It would look something like this:
Although there are other types of attacks, these are the two most common that security teams and organizations will come into contact with and the two types of traversal attacks you want to be most prepared for.
Directory traversal mitigation and prevention
Before we get into how to mitigate a directory traversal should you be on the receiving end of an attack, let’s cover how you can prevent attacks before mitigation becomes necessary.
A few things you can do to prevent directory traversal attacks include:
Your team should be able to validate input from your browsers, which will prevent attackers from using commands that compromise your directories
Make sure all of your webserver software is updated
Apply all available patches
Utilize filters to block any unwanted or unnecessary user inputs
Even with all of the preventative measures in place, there will always be a chance that attackers get through to your directories and compromise your networks.
If you are on the receiving of a directory traversal attack, you can mitigate the damage by:
Understanding how your OS processes filenames
Utilizing a security system that will automatically check for SQL injection, directory traversal, and other directory vulnerabilities
Take proactive mitigation efforts by constantly monitoring your network’s traffic
Create an incident response plan so that when you do identify an attack, you’ll be prepared for it
How Sumo Logic can help
Sumo Logic’s cloud-native, comprehensive platform helps your team make data-driven decisions and streamline the security investigation process of your networks by:
Providing you with real-time analytics that helps you identify and resolve potential cybersecurity threats
Enabling your team with machine-learning algorithms provide you with 24/7 alerts and notifications
Allowing you to easily customize your dashboards that align your teams by visualizing logs, metrics, and performance data for full-stack visibility
Try a free demo to see how Sumo Logic can help you today.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.