Web Design & Development Guide
A directory traversal is to
exploit insufficient security validation / sanitization of
user-supplied input file names, so that characters representing
"traverse to parent directory" is passed through to the file APIs.
The goal of this attack is to order an application to access a
computer file that is not intended to be accessible. This attack exploits a
lack of security (the software is acting exactly as it is supposed to) as
opposed to exploiting a bug in the code.
Directory traversal is also known as the ../ (dot dot slash)
attack, directory climbing, and backtracking. Some forms of this attack are also
A typical example of vulnerable application code is:
$template = 'blue.php';
if ( is_set( $_COOKIE['TEMPLATE'] ) )
$template = $_COOKIE['TEMPLATE'];
include ( "/home/users/phpguru/templates/" . $template );
An attack against this system could be to send the following HTTP request:
GET /vulnerable.php HTTP/1.0
Generating a server response such as:
HTTP/1.0 200 OK
The repeated ../ characters after /home/users/phpguru/templates/ has
include() to traverse to the root directory, and then include the UNIX
is a common file used to demonstrate directory traversal, as it is often
crackers to try cracking the passwords.
Variations of directory traversal
Directory traversal is trickier to prevent than it might seem. A "filter out
known bad characters" protection strategy is likely to fail.
There are many other factors involved that would determine whether a
directory traversal would actually work. However, if the application does not
validate the legitimacy of such parameters, it is quite likely that attackers
may have some wiggle room to exploit this functionality for malicious purposes.
Listed below are some known directory traversal attack strings:
Directory traversal on UNIX
Unix-like directory traversal uses the ../ characters.
Directory traversal on Microsoft Windows
Microsoft Windows or DOS directory traversal uses the ..\ characters.
Today, many Windows programs or APIs also accept
directory traversal characters.
Each partition has a separate root directory (labeled C:\ for a particular
partition C) and there is no common root directory above that. This means that
for most directory vulnerabilities on Windows, the attack is limited to a single
URI encoded directory traversal
Some web applications scan
string for dangerous characters such as:
to prevent directory traversal. However, the query string is usually URI
decoded before use. Therefore these applications are vulnerable to
percent encoded directory traversal such as:
- %2e%2e%2f which translates to ../
- %2e%2e/ which translates to ../
- ..%2f which translates to ../
- %2e%2e%5c which translates to ..\
Unicode / UTF-8 encoded directory traversal
noted as a source of vulnerabilities and attack vectors in
Cryptogram Newsletter July 2000 by
Bruce Schneier and Jeffrey Streifling.
When Microsoft added
support to their Web server, a new way of encoding ../ was introduced
into their code, causing their attempts at directory traversal prevention to be
Multiple percent encodings, such as
translated into / or \ characters.
Why? Percent encodings were decoded into the corresponding 8-bit characters
by Microsoft webserver. This has historically been correct behavior as Windows
and DOS traditionally used canonical 8-bit characters sets based upon of ASCII.
However, the original UTF-8 was not canonical, and several strings were now
string encodings translatable into the same string. Microsoft performed the
anti-traversal checks without UTF-8 canonicalization, and therefore not noticing
that (HEX) C0AF and (HEX) 2F were the same character when doing string comparisons.
Possible Methods to Prevent Directory Traversal
A possible algorithm for preventing directory traversal would be to:
- Process URI requests that do not result in a file request, e.g,
executing a hook into user code, before continuing below.
- When a URI request for a file/directory is to be made, build a full path
to the file/directory if it exists, and normalize all characters (e.g, %20
converted to spaces).
- It is assumed that a 'Document Root' fully qualified, normalized, path
is known, and this string has a length N. Assume that no files outside this
directory can be served.
- Ensure that the first N characters of the fully qualified path to the
requested file is exactly the same as the 'Document Root'.
- If so, allow the file to be returned.
- If not, return an error, since the request is clearly out of bounds from
what the web-server should be allowed to serve.
Cross-site request forgery
Evil twin (wireless networks)
HTTP response splitting
IDN homograph attack