Exercise 53: Path Traversal Attack

Objective

Learn how to exploit Path Traversal vulnerabilities to access files outside the intended directory by manipulating file paths. Understand how to prevent these attacks by validating user input, using absolute file paths, and restricting file access to specific directories.

---

Scenario

You are testing a web application that allows users to download files by providing the file name as a URL parameter. Due to insufficient input validation, an attacker can manipulate the file path to access sensitive system files.

---

Lab Setup

Prerequisites:

• Basic knowledge of PHP and web servers.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• A code editor (e.g., VSCode, Sublime Text).

Step 1: Create the Vulnerable Web Application

1. PHP Script for File Download (Vulnerable)
   • Create a file download.php: <?php if (isset($_GET['file'])) { $file = $_GET['file']; $filepath = "uploads/" . $file; if (file_exists($filepath)) { header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=' . basename($filepath)); readfile($filepath); exit; } else { echo "File not found."; } } else { echo "No file specified."; } ?> <h2>Download a File</h2> <form method="GET" action=""> File Name: <input type="text" name="file" required> <button type="submit">Download</button> </form>
2. Create the Uploads Directory
   • Create a directory named uploads in the web server’s root (htdocs for XAMPP).
   • Add a sample file example.txt in the uploads folder.
3. Running the Application
   • Start the Apache server.
   • Place download.php in the web server’s root directory (htdocs for XAMPP).
   • Open http://localhost/download.php in your browser.

---

Exploitation Steps

Step 1: Downloading Files Normally

1. Enter example.txt in the form and click Download.
2. Expected Result:
   • The file example.txt downloads successfully.

Step 2: Exploiting Path Traversal

1. Enter the following payload to access sensitive files: ../../../../etc/passwd
2. Expected Result:
   • The server responds with the contents of /etc/passwd.
3. On Windows systems, try accessing system files: ..\..\..\..\Windows\System32\drivers\etc\hosts

Expected Result:

• The server displays the contents of the hosts file.

---

Solution and Prevention

Problem Analysis

• The application directly appends user input to the file path without validation, allowing directory traversal.

Fixing the Vulnerability

1. Validate and Sanitize User Input
   • Restrict input to filenames only (no special characters): $file = basename($_GET['file']); $filepath = "uploads/" . $file;
2. Restrict Access to Specific Directories
   • Use a predefined allow-list of files or directories: $allowed_files = ['example.txt', 'document.pdf']; if (in_array($file, $allowed_files)) { $filepath = "uploads/" . $file; } else { die("Invalid file request."); }
3. Use Real Path Validation
   • Ensure the requested file is within the allowed directory: $filepath = realpath("uploads/" . $file); if (strpos($filepath, realpath("uploads")) === 0 && file_exists($filepath)) { header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=' . basename($filepath)); readfile($filepath); exit; } else { echo "Invalid file request."; }
4. Use a Content Delivery System for Downloads
   • Store sensitive files in a secure, external storage system, separating application logic from file storage.

---

Testing After Fix

1. Attempt to download ../../../../etc/passwd.
2. Expected Result:
   • The application blocks the request and displays an error.
3. Attempt normal downloads with valid filenames.
4. Expected Result:
   • The valid file downloads successfully.

---

Conclusion

In this lab, you exploited a Path Traversal vulnerability to access sensitive files outside the intended directory. You also learned how to prevent this vulnerability by validating user input, using absolute paths, and restricting file access to specific directories.