Path Traversal Vulnerability Detection and Prevention

Web applications generally have system file operation functions, often used to submit parameters to specify the file name, such as: http://www.nuanyue.com/getfile=image.jgp when the server processing transferred image.jpg file name, the Web application will automatically add the complete path, for example, d: // site/images/image.jpg. However, because the file name can be changed at any time on the client, attackers can exploit the features of the server, such as using the special symbol "~ /","/... To overwrite or overwrite sensitive data, such as website configuration files and system core files. Such defects are named as Path Traversal vulnerabilities. 2.2 functions that cause vulnerability traversal by code instances include "", for example:

<?php$filename= $_GET['filename'];if ($filename) {    $content = @file_get_contents($filename);    if ($content) {        echo $content;    }}?>

 

In this Code segment, attackers can read the filename file by obtaining the filename file name. /.. /.. /.. /.. /.. /.. /etc/passwd for unauthorized access to system sensitive files. The Security Test path traversal vulnerability is detected by reading interactive functional blocks of Web application files. The following reading method is available:" http://www.nuanyue.com/test/downfile.jsp?filename=fan.pdf "We can use"... /"for testing, such as submitting the Url:" getfile =/fan/* 53.pdf ", while the system is parsing" d: // site/test/pdf/fan /.. /.. /* 53.pdf ", through" .. /"Jump to the directory"/fan ", that is," d: // site/test/pdf/* 53.pdf ", returns the normal page for reading the file. Path Traversal is used to hide the file names submitted by parameters such as reading or displaying image functional blocks. It can be seen that filtering interactive data is completely necessary. Attackers will, of course, use the read permission to access files across directories, such as accessing some controlled files, ".. /.. /.. /.. /.. /.. /.. /etc/passwd "or ".. /.. /.. /.. /boot. ini ", of course, some websites now have Waf-like protection devices, as long as there is/etc/boot in the data. ini and other file names are directly intercepted. Traversal path attack mutation path traversal vulnerability is very common. In the Web application programming process, it will consciously filter or directly Delete the passed parameters, there are risky filtering methods, the following methods can be used for breakthrough: the following are some bypass methods. Of course, you can use them in combination during actual operation. Encrypt the data transmitted by the parameter. After the Web application encrypts the file name, it submits the data, for example, "downfile. jsp? Filename = ZmFuLnBkZg-". In the filename parameter, Base64 encryption is used. To bypass this, attackers simply encrypt the file name and then submit the file. Therefore, there are risks when using regular or easily identifiable encryption methods. The callback code is bypassed and different encoding transformations are used for filtering bypass. For example, the Url encoding is submitted by Url encoding for parameters. "downfile. jsp? Filename = % 66% 61% 6E % 2E % 70% 64% 66 "to bypass. Allow directory Restriction Bypass. In some Web applications, directory permissions are defined to separate them. Of course, this method is not worthwhile. Attackers can use some special symbols "~ "To bypass. Submit "downfile. jsp? Filename = ~ /../Boot ". With such a symbol, you can directly jump to the hard disk directory. Attackers can bypass file suffix filtering. Some Web applications detect the submitted file suffix before reading the file. Attackers can put an empty Byte encoding after the file name, to bypass the check of such a file type. Example :.. /.. /.. /.. /boot.ini000000.jpg. The Api used by the Web application allows null characters to be contained in the string. When the file name is actually obtained, the system Api will be truncated and parsed as ".. /.. /.. /.. /boot. ini ". In Unix-like systems, you can also use Url-encoded line breaks, such :.. /.. /.. /etc/passwd1_0a.jpg if the file system obtains the file name containing the line break, it will be truncated to the file name. Token bypass. In some Web applications, a method is used to determine the origin of the submitted parameter, the bypass method can be used to submit a Url in a website message or interaction place and then click or directly modify the Http Referer. This is mainly because the Http Referer is sent by the client browser, the server cannot control this variable, but it is wrong to treat this variable as a trusted source. Preventing traversal path vulnerabilities in the method of preventing traversal path vulnerabilities, the most effective is permission control, careful processing of the parameter paths passed to the file system API. The main reason is that most directories or files are not properly configured, while Web applications mostly rely on the system's API to read files. In the process of parameter passing, if you do not have strict control, excessive permission will occur. In this case, Web applications can adopt the following defense methods, preferably in combination.  Data purification: The file names submitted by website users are hard-coded or unified encoded, file suffixes are whitelist controlled, and malicious symbols or empty bytes are contained.  Web applications can use the chrooted environment to access directories containing accessed files, or use absolute paths + parameters to control access directories, make it even if it is unauthorized or cross-directory is under the specified directory. The path traversal vulnerability allows malicious attackers to break through the security control of Web applications and directly access the sensitive data they want, including configuration files, logs, and source code. This vulnerability can be used with other vulnerabilities, attackers can easily obtain higher permissions and exploit such vulnerabilities. They only need to manually check the read/write functional blocks of Web applications, the returned page content is intuitive and easy to use.