OWASP TOP 10: Directory traversal ~2024

A path traversal vulnerability allows an attacker to access files on your web server to which they should not have access. They do this by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder.

The OWASP Top 10 provides rankings of—and remediation guidance for—the top 10 most critical web application security risks. Leveraging the extensive knowledge and experience of the OWASP's open community contributors, the report is based on a consensus among security experts from around the world.

What is Directory traversal?

Directory traversal is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.

It is the second most prevalent and impactful vulnerability as per the OWASP “Top 10” list.

What is the difference between directory traversal and path traversal?

The main difference between a Directory path traversal and the file inclusion vulnerabilities is the ability to execute the source codes that are not saved in interpretable files (like . php or . asp and others)

why need to learn Directory traversal vulnerabilities?

With a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.

Depending on how the website access is set up, the attacker will execute commands by impersonating himself as the user which is associated with “the website”. Therefore it all depends on what the website user has been given access to in the system

How to prevent Directory traversal attacks

• When making calls to the filesystem, you should avoid relying on user input for any part of the path.

• If you really can’t avoid relying on user input, normalize the information or the path before using it. Then, check that its prefix matches the directory that users are permitted to access.

• Process URI requests that do not result in a file request

• Ensure that your web server operating system and critical application files are kept separate from each other

• Do not use administrator or superuser accounts to run web servers whose permissions only allow them to read only the files it needs to run

So, Join Now to learn with fun way.