Insecure File Management

Path Traversal

About Path Traversal

What is Path Traversal?

Path traversal, also known as directory traversal, is a type of security vulnerability that allows an attacker to access files or directories outside the web root directory of a web application. This vulnerability occurs when a web application does not properly validate user input or user-controlled data, such as file names or paths, and allows directory traversal sequences to be passed through the input.

Check out this video for a high-level explanation:

What is the impact of Path Traversal?

Path Traversal can lead to unauthorized access to sensitive files and data on a server or application. This can include files containing passwords, user data, or other confidential information.

An attacker who successfully exploits a Path Traversal vulnerability can gain access to sensitive data, modify or delete files, and potentially execute arbitrary code or perform other malicious actions.

This can lead to a variety of security incidents, such as data breaches, theft of intellectual property, or disruption of services.

The impact of a Path Traversal vulnerability can vary depending on the nature of the files and data that are accessed, as well as the specific context of the system or application being targeted.

In some cases, a Path Traversal attack may have little impact beyond revealing the existence of certain files, while in other cases, it can have severe consequences for the confidentiality, integrity, and availability of the system or application.

How to prevent Path Traversal?

To prevent Path Traversal vulnerabilities, it is important to properly validate and sanitize user input, and to use secure coding practices.

Here are some steps that can help prevent Path Traversal attacks:

• Validate user input: Always validate and sanitize user input, especially file names and paths. Ensure that user input only contains expected characters and that any special characters are properly escaped or removed.
• Use secure coding practices: Use secure coding practices, such as enforcing strict file permissions and preventing the execution of user-controlled input as code. Use libraries and frameworks that have built-in protection against Path Traversal attacks.
• Use an allow list: Use an allow list of permitted file names or directories and reject any input that does not match the list. This can help prevent unauthorized access to sensitive files and directories.
• Implement access controls: Implement access controls to restrict user access to files and directories based on roles and permissions.
• Use server-side checks: Use server-side checks to verify that any requested file or directory is within the expected range and does not contain any invalid or unexpected characters.
• Monitor and log: Monitor and log all file system access to detect any suspicious activity or attempts to access files or directories outside of the expected range.

By following these steps, you can help prevent Path Traversal vulnerabilities and reduce the risk of unauthorized access to sensitive files and data.

References

Taxonomies

• OWASP Top 10 - A01 Broken Access Control
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CWE-23: Relative Path Traversal
• CWE-36: Absolute Path Traversal

Explanation & Prevention

• OWASP: Path Traversal
• OWASP: File Upload Cheat Sheet
• OWASP: Input Validation Cheat Sheet
• CAPEC-126: Path Traversal
• WASC-33: Path Traversal

Related CVEs

• CVE Details: CWE-22

Training

• Secure Code Warrior: Path Traversal

Fixing Path Traversals

A Path Traversal vulnerability has been detected by our runtime engines.

Fixing advice for common languages is listed below:

• .NET
• Elixir
• Go
• Java
• JavaScript/TypeScript
• Python
• Ruby

Directory Listing

About Directory Listing

What is Directory Listing?

Directory listing is a feature of web servers that allows users to view the contents of a directory on a website. When directory listing is enabled, a user can view a list of all the files and directories that are stored in a particular directory, along with any relevant metadata, such as file size or last modified date.

Directory listing can be useful for users who want to browse the contents of a website or find specific files or information. However, it can also pose a security risk, as it can reveal sensitive information about the files and directories stored on a server.

This can include file names, directory structures, and other metadata that could be used by an attacker to gain access to the server or launch other attacks.

What is the impact of Directory Listing?

Directory listing can reveal sensitive information about the files and directories stored on a server. This information can include file names, directory structures, and other metadata that can be used by attackers to gain unauthorized access to the server or launch other attacks.

For example, directory listing can reveal the location of configuration files, backup files, or other sensitive files that can be used to gain access to a system or application. It can also reveal the location of files containing passwords, user data, or other confidential information, which can be used for identity theft or other malicious activities.

Additionally, directory listing can be used by attackers to map out the structure of a website or application, which can be used to identify potential vulnerabilities and launch other attacks.

This can include cross-site scripting (XSS) attacks, SQL injection attacks, or other types of web application attacks.

How to prevent Directory Listing?

To prevent directory listing, it is recommended to follow these steps:

• Disable directory listing: The easiest way to prevent directory listing is to disable it in the web server configuration. This will prevent users from being able to view the contents of directories on the server.
• Use an index file: If directory listing is disabled, users may still be able to access files in a directory if there is an index file present. By adding an index file, such as index.html or index.php, the server will display that file instead of the directory listing.
• Use access controls: Use access controls to restrict user access to files and directories based on roles and permissions. This can help prevent unauthorized access to sensitive files and directories.
• Secure file and directory permissions: Set secure file and directory permissions to prevent unauthorized access. For example, ensure that files and directories are not writable by everyone and that only authorized users have access.
• Use secure coding practices: Use secure coding practices that prevent unauthorized access to sensitive files and directories. This includes validating and sanitizing user input, avoiding the use of hard-coded credentials, and using secure programming languages and frameworks.
• Use monitoring and logging: Use monitoring and logging to detect and respond to any attempts to access directory listings or other sensitive files and data. This can help identify potential security incidents and enable a timely response.

References

Taxonomies

• OWASP Top 10 - A01 Broken Access Control
• CWE-548: Exposure of Information Through Directory Listing

Related CVEs

• CVE Details: CWE-548

Fixing Directory Listings

A Directory Listing vulnerability has been detected by our runtime engines.

Fixing advice for common languages is listed below:

• Go

File Inclusion

About File Inclusion

What is File Inclusion?

File inclusion is a type of security vulnerability that allows an attacker to include files on a server or application that should not be accessible. This vulnerability occurs when a web application does not properly validate user input, such as file names or paths, and allows file inclusion sequences to be passed through the input.

There are two main types of file inclusion vulnerabilities:

• Local File Inclusion (LFI): LFI occurs when a web application allows a user to include a local file on the server that should not be accessible. An attacker can exploit this vulnerability by providing a malicious file path, which the web application includes without proper validation. The attacker can use LFI to access sensitive files, such as password files or configuration files, and potentially execute arbitrary code on the server.

• Remote File Inclusion (RFI): RFI occurs when a web application allows a user to include a file from a remote server. An attacker can exploit this vulnerability by providing a malicious file path to a file hosted on a remote server. The attacker can use RFI to include a file that contains malicious code, such as a remote shell, which can be executed on the server.

Both LFI and RFI vulnerabilities can be exploited to gain unauthorized access to sensitive data or to execute arbitrary code on a server, which can lead to various security incidents such as data breaches, system compromises, or disruption of services.

What is the impact of File Inclusion?

The impact of a file inclusion vulnerability can lead to unauthorized access to sensitive files and data on a server or application. This can include files containing passwords, user data, or other confidential information.

An attacker who successfully exploits a file inclusion vulnerability can gain access to sensitive data, modify or delete files, and potentially execute arbitrary code or perform other malicious actions.

The impact of a file inclusion vulnerability can vary depending on the nature of the files and data that are accessed, as well as the specific context of the system or application being targeted.

In some cases, a file inclusion attack may have little impact beyond revealing the existence of certain files, while in other cases, it can have severe consequences for the confidentiality, integrity, and availability of the system or application.

How to prevent File Inclusion?

To prevent file inclusion vulnerabilities, it is important to properly validate and sanitize user input, and use secure coding practices.

Here are some steps that can help prevent file inclusion attacks:

• Validate user input: Always validate and sanitize user input, especially file names and paths. Ensure that user input only contains expected characters and that any special characters are properly escaped or removed.
• Use secure coding practices: Use secure coding practices, such as enforcing strict file permissions and preventing the execution of user-controlled input as code. Use libraries and frameworks that have built-in protection against file inclusion attacks.
• Use an allow list: Use an allow list of permitted file names or directories and reject any input that does not match the allow list.
• Implement access controls: Implement access controls to restrict user access to files and directories based on roles and permissions.
• Monitor and log: Monitor and log all file system access to detect any suspicious activity or attempts to access files or directories outside of the expected range.

By following these steps, you can help prevent file inclusion vulnerabilities and reduce the risk of unauthorized access to sensitive files and data.

References

Taxonomies

• OWASP Top 10 - A03 Injection
• CWE-73: External Control of File Name or Path
• CWE-706: Use of Incorrectly-Resolved Name or Reference
• CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Explanation & Prevention

• OWASP: Testing for Local File Inclusion
• OWASP: Testing for Remote File Inclusion
• OWASP: Input Validation Cheat Sheet

Related CVEs

• CVE Details: CWE-73
• CVE Details: CWE-706
• CVE Details: CWE-98

Training

• Secure Code Warrior: Local File Inclusion
• Secure Code Warrior: Remote File Inclusion

Fixing File Inclusions

A File Inclusion vulnerability has been detected by our runtime engines.

Fixing advice for common languages is listed below:

• PHP