..%c0%af ) of the forward slash character, backslash characters

( ..\ ) on Windows based servers, URL encoded characters

( %2e%2e%2f ), and double URL encoding ( ..%255c ) of the

backslash character.

Even if the web server properly restricts Path Traversal attempts in

the URL path, a web application itself may still be vulnerable due to

improper handling of user supplied input. This is a common problem

of web applications that use template mechanisms or load static text

from files. In variations of the attack, the original URL parameter

value is substituted with the file name of one of the web application s

dynamic scripts. Consequently, the results can reveal source code

because the file is interpreted as text instead of an executable script.

These techniques often employ additional special characters such as

the dot ( . ) to reveal the listing of the current working directory, or

 %00  NUL characters in order to bypass rudimentary file extension

checks.

Example

Path Traversal attacks against a web server

Attack: http://example/../../../../../some/file

Attack: http://example/..%255c..%255c..%255csome/file

Attack: http://example/..%u2216..%u2216some/file

Path Traversal attacks against a web application

Original: http://example/foo.cgi?home=index.htm

Attack: http://example/foo.cgi?home=foo.cgi

In the above example, the web application reveals the source code of

the foo.cgi file because the value of the home variable was used

as content. Notice that in this case the attacker does not need to

submit any invalid characters or any path traversal characters for the

52

Copyright 2004, Web Application Security Consortium. All rights reserved.