Friday, September 14, 2012

Hacking websites using Directory Traversal Attacks | Hackingloops

Hacking websites, nowadays has became little bit difficult as developers nowadays are also focusing on OWASP(Open web application security project) top 10 vulnerabilities which hackers normally use to hack websites. Today Hackingloops has came with tutorial on Directory Traversal Attacks (part of top 10 vulnerabilities). So friends lets start our tutorial on Hacking websites using Directory traversal attacks.


Directory is basically a folder where web designer stores his website files( this is with respect to server). By directory traversal attack, i simply mean that hacker is able to navigate between the directories and files stored in those directories(say root which contains all config files, htaccess file, ini file and xquery files(all these files are most sensible files for any website, if any of these files security is not handled properly, then Hacker can own website)). In short by using directory traversal attack, hackers main aim is to get access to sensible file that i have mentioned above. 
Nowadays attackers also use directory traversal attacks to view arbitrary files on web server like SSL private keys and password files.

Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking.

What does ../ or ..\ (dot dot slash) mean  ? 
The ..\ instructs the system to go one directory(or simply called folder) up.
For example, we are at this location C:\Hacking\Hacking Tools\Bugtraq. Now on typing ..\ , we would reach at
C:\Hacking\Hacking Tools.
Again on typing ..\ , we would reach at
C:\Hacking  and so on.

Lets again go at location C:\Hacking\Hacking Tools\Bugtraq. Now suppose we want to access a file abcfile.txt placed in folder Hacking. Just we need to  type ..\..\abcfile.txt . Typing ..\ two times would take us two directories up (that is to directory Hacking) where abcfile.txt is stored.
I hope you got dot dot slash concept. Now lets proceed further..

So as of now, we have complete understanding what directory means and what dot dot slash means. Now lets understand clearly what directory traversal attack means.

Directory Traversal attack is an HTTP(or in simple terms web) exploit or vulnerability which allows attackers or hackers to access restricted directories (most hackers are interested in root directory access ) and execute commands outside of the web server's root directory. The goal of this attack is  to access sensitive files placed on web server by stepping inside root directory using dot dot slash technique. By exploiting a directory traversal vulnerability, an attacker can access files in directories other than the root directory. This can be harmful, since access to restricted files containing passwords or other private information may compromise the web server.

For example, by typing the following URL:

http://www.samplesite.com/sample.php?item=../../../../web-config.php

The attacker or hacker causes sample.php to retrieve the file ../../../../web-config.php and display it in the attacker's or hackers web browser. As i have already told you the character sequence "../" stands for "one directory up". So the string “../../../../web-config.php” therefore means "go four directories up, then down into root directory and retrieve the file web-config.php from there".
The attacker needs to guess how many directories to climb in order to get to the desired directory, but this can be easily done by trial and error.

I have setup a live example on my system to explain this vulnerability to users using tomcat server.
Say i am browsing this page:

Hacking websites using Directory traversal attack image 1
Directory Traversal Attack Sample Image 1

Now i changed test1/about.jsp with ../product.jsp and press enter:

Hacking websites using Directory traversal attack image 2
Directory traversal attack Image 2
Here is the result of above step, we are able to access product.jsp in root folder because this sample was vulnerable to directory traversal attack.

Hacking websites using Directory traversal attack image 3
Directory traversal attack sample image 3
Note:

Some web applications scan query string for dangerous characters such as:
  • ..
  • ..\
  • ../
to prevent directory traversal attack. 
However, the query string is usually URI decoded before use. Therefore these applications are vulnerable to percent encoded directory traversal such as:
  • %2e%2e%2f which translates to ../
  • %2e%2e/ which translates to ../
  • ..%2f which translates to ../
  • %2e%2e%5c which translates to ..\

Also in windows internet explorer Microsoft added Unicode characters support, which introduced a new way of encoding ../ ,causing their attempts at directory traversal prevention to be bypassed.
Multiple percent encoding, such as
  • %c1%1c
  • %c0%af
are translated into / or \ characters.


As a good Ethical Hacker, we must know how to protect these loopholes while designing or securing a new website or existing website. So i will also explain the protective measures on how to protect our website from directory traversal attacks. But for that you all need to wait for my next article :P. 

I hope you all have enjoyed the article. If you have any queries, questions or didn't understand anything, feel free to contact me by comments below or can directly mail your request to lokesh@hackingloops.com.

If you like this article then please comment and if you think something is missing and need to be added, feel free to suggest. Thanks for reading!

10 comments:

  1. sorry for being out of topic..

    i recently came across "tamper data" addon for firefox which can be used for sms forging and sending sms via any no. to any no.
    but i couldnt find any working way to implement it...can u please guide me on how to send sms to anyone via any no.

    thank you..

    ReplyDelete
  2. sir u r great sir some body cheat me it is very painful sir he was using his facebook from mumbai i m in rajsthan how can i see his password sir

    ReplyDelete
  3. helpful..will keep close 2 ur post for more
    thnx

    ReplyDelete
  4. Das surviving alot, thax
    happy deewali :)

    ReplyDelete
  5. Nice one...it will be very useful for me if you could please tell me what are the protective measures to protect my site from such attacks.

    ReplyDelete
  6. Waiiting for your next article on the same. Please post it..:)

    ReplyDelete
  7. Thank's for the article
    wait for the next
    :D

    ReplyDelete

Please do not spam.

Copyright © 2012 Learn How to Hack - Best Online Ethical Hacking Website All Right Reserved
Designed by Hackingloops.