Path Traversal
path traversal web attack (also known as directory traversal) is a type of security vulnerability that allows an attacker to access files and directories on a web server that are outside the intended directory structure. This occurs when an application improperly validates user input, enabling an attacker to manipulate file paths.
How it works:
User Input Exploitation: The attacker provides malicious input (e.g.,
../../../../etc/passwd) to the application, often through parameters like file names or URLs.Path Manipulation: The application fails to sanitize or validate the input, allowing the attacker to traverse directories using special sequences like
../(which moves up one directory level).Unauthorized Access: The attacker gains access to sensitive files, such as configuration files, passwords, or system files, potentially compromising the server.
Example:
If a web application displays files based on user input like example.com/file?name=report.txt, an attacker could manipulate the input to example.com/file?name=../../../../etc/passwd to access the server's password file.
Web Application Firewalls (WAFs) are designed to detect and block common attack patterns, including path traversal attempts. However, attackers often use creative techniques to bypass WAF filters. Below are 5 examples of how attackers might bypass WAF filtration in path traversal attacks:
1. Encoding and Obfuscation
Attackers encode or obfuscate the traversal sequence (../) to evade detection by WAFs.
Techniques:
URL Encoding: Replace characters with their URL-encoded equivalents.
%2e%2e%2f%2e%2e%2fetc%2fpasswd(Represents
../../etc/passwd)Double URL Encoding: Encode the payload twice.
%252e%252e%252f%252e%252e%252fetc%252fpasswd(Represents
../../etc/passwdafter double decoding)Unicode Encoding: Use Unicode representations of characters.
..%c0%af..%c0%afetc%c0%afpasswd(Represents
../../etc/passwd)
Example:
http://example.com/file?name=%2e%2e%2f%2e%2e%2fetc%2fpasswd2. Null Byte Injection
Appending a null byte (%00) can truncate the payload and bypass WAF filters that don't handle null bytes properly.
Example:
http://example.com/file?name=../../../../etc/passwd%00The WAF might see the payload as ../../../../etc/passwd and allow it, while the server processes it as ../../../../etc/passwd.
3. Using Alternative Path Separators
Some WAFs only block forward slashes (/) but not backward slashes (\), especially on Windows servers.
Example:
http://example.com/file?name=..\..\..\..\Windows\win.iniThis works on Windows servers where \ is a valid path separator.
4. Nested Traversal Sequences
Attackers can use nested or redundant traversal sequences to confuse WAFs.
Example:
http://example.com/file?name=....//....//....//etc/passwdThe WAF might not recognize ....// as a traversal sequence, but the server could normalize it to ../../.
5. Case Manipulation
Some WAFs are case-sensitive and may not detect traversal sequences if the case is altered.
Example:
http://example.com/file?name=..%2f..%2f..%2fetc%2fpasswdOr:
http://example.com/file?name=..%2F..%2F..%2Fetc%2Fpasswd(Using mixed case or uppercase encoding)
Bonus: Combining Techniques
Attackers often combine multiple techniques to bypass WAFs. For example:
Using URL encoding with null byte injection:
http://example.com/file?name=%2e%2e%2f%2e%2e%2fetc%2fpasswd%00Using Unicode encoding with case manipulation:
http://example.com/file?name=..%c0%af..%c0%afetc%c0%afpasswd
How WAFs Can Defend Against These Bypasses:
Normalize Input: Decode and canonicalize input before applying filters.
Use Context-Aware Filters: Detect traversal sequences regardless of encoding or obfuscation.
Block Null Bytes: Reject any input containing null bytes.
Whitelist Valid Input: Allow only known-safe characters and patterns.
Regularly Update Rules: Stay updated with new evasion techniques and update WAF rules accordingly.
Last updated