attack to succeed. The attacker has targeted another file in the same

directory as index.htm.

Path Traversal attacks against a web application using special 

character sequences:

Original: http://example/scripts/foo.cgi?page=menu.txt

Attack:

http://example/scripts/foo.cgi?page=../scripts/foo.

cgi%00txt

In above example, the web application reveals the source code of the

foo.cgi file by using special characters sequences. The  ../ 

sequence was used to traverse one directory above the current and

enter the /scripts directory. The  %00  sequence was used both to

bypass file extension check and snip off the extension when the file

was read in.

Reference

 CERT  Advisory CA 2001 12 Superfluous Decoding Vulnerability in

IIS 

http://www.cert.org/advisories/CA 2001 12.html

 Novell Groupwise Arbitrary File Retrieval Vulnerability 

http://www.securityfocus.com/bid/3436/info/

5.4  Predictable Resource Location

Predictable Resource Location is an attack technique used to

uncover hidden web site content and functionality. By making

educated guesses, the attack is a brute force search looking for

content that is not intended for public viewing. Temporary files,

backup files, configuration files, and sample files are all examples of

potentially leftover files.  These brute force searches are easy

because hidden files will often have common naming convention and

53

Copyright 2004, Web Application Security Consortium. All rights reserved.