Directory traversal explained: Definition, examples and prevention

Directory traversal examples

In September, researchers discovered a “critical severity” directory traversal vulnerability in Atlassian’s Jira Service Desk Server and Jira Service Desk Data Center that could allow attackers to protected information belonging to the company’s customers, says Satnam Narang, senior research engineer at Tenable Network Security. 

“They can see bug reports and other things that are being tracked, like new feature requests,” he says. “Sensitive information that they shouldn’t access, potential trade secrets, all the issues that organizations handle internally.”

Tenable researchers were able to find publicly accessible Jira Service Desk portals with a simple search. Attackers could also use the information they glean from the tickets for social engineering, says Kevin Delaney, director of solutions engineering at Security Compass, a Toronto-based cybersecurity software company. “Someone can call you up and they have your ticket number, your email address — everything they need to convince you to trust them,” he says. “They can get you to give them your passwords or wire them money.”

Atlassian isn’t the only compay to make news with such a vulnerability. In late September, Adobe rushed out a fix for three vulnerabilities in its ColdFusion web development platform, including a “critical” path traversal vulnerability that could allow attackers by bypass access controls.

Another recent directory traversal disclosure was in June and involved Kubecti, a command-line interface for controlling Kubernetes clusters. According to Charles Ragland, security engineer with the Photon research team at Digital Shadows, the bug was in the cp command, which allows users to copy files from the Kubernetes pod to their local machine. “Due to the way that Kubernetes performed file transfers,” he says, “malicious users could copy relative file paths and potentially use this to execute code or elevate privileges.

And, it’s not just web applications that are vulnerable to directory traversal attacks. In September, researchers with Independent Security Evaluators found that 12 out of 13 routers and NAS devices from a range of manufacturers had security flaws that allowed the researchers to get remote root-level access — seven of those had path traversal vulnerabilities.

What is directory traversal?

In a directory traversal attack, also known as path traversal, an attacker enters information in a web form, URL address line, or another input method that gives them access to a file or directory that they shouldn’t have access to. For example, says Security Compass’ Delaney, an attacker could type a period, period, backslash to get to the parent directory. Attackers can use this vulnerability to access files on a web server or another device, or even to upload malicious files.

According to a research report released in September by Contrast Security, path transversal was one of the top three attacks in August, after SQL injection and cross-site scripting. Path transversal accounted for 17 percent of all attacks, targeting 69 percent of web applications. Path traversal was also one of the top ten most dangerous software errors, according to a report published by MITRE last month, based on about 25,000 CVEs from the past two years.

How to prevent directory traversal

First, inputs need to be validated, says Delaney. This is a key first step for building any kind of web form. Some of the most common vulnerabilities include this type of attack, including SQL injections.

It sounds like Security 101, but, as evidenced by the high number of reported vulnerabilities that fall into this category, developers keep making the same mistakes over and over again. “Developers have their user story and expect the security team to fix any security problems,” says Delaney, but security teams might not have the necessary expertise — or the time — to wade through insecure code to fix basic mistakes.

The second step is to ensure that all files and folders on the server have proper access controls. In addition, developers should avoid storing sensitive data in the web root of the application.

How to find directory traversal vulnerabilities

The best time to find directory traversal vulnerabilities is while the code is being written, by having a strong security focus right at the start of the software development process. The next best time is before the software is deployed, using code analysis tools.

However, these tools typically miss about half of all vulnerabilities, says Delaney. Plus, they typically have a high false positive rate as well, making the vulnerability remediation process lengthy and expensive.

Finally, once the software is up and running, either in a test environment or, in the worst case, in production, penetration testing can be used to find problems. One approach is to use fuzzing to try different inputs to see if any of them cause problems, says Delaney. The researchers who found the latest set of Android VoIP vulnerabilities used fuzzing, he says.

Patch path traversal vulnerabilities quickly

When it comes to popular software like Adobe ColdFusion, Jira Service Desk, and Android, prompt patching is essential. This can be difficult for some companies, where the patching and updating process is cumbersome. For example, some companies may restrict patching for mission-critical systems to Saturday mornings, says Delaney. In these cases, every second matters, he says.

For example, attackers can easily scan the web for Jira Service Desk portals and attempt to attack them, Delaney says. As more researchers look for path traversal flaws, often encouraged by bug bounty programs, attackers have more and more vulnerabilities to pick from. “It’s like being handed something on a platter,” sad Tenable’s Narang. “You have researchers publishing these details — it’s already being presented to them.”

In some cases, researchers will publish proof-of-concept code or provide enough details that attackers are able to figure out how to exploit the vulnerability. “Obviously, patching is important, and everyone has talked about it to death,” Narang says.

In cases when a patch can’t be immediately rolled out, there may be other mitigation measures that a company can take. In the case of the recent Jira Service Desk vulnerability, for example, companies can turn off the setting that allows anyone to file support requests without having to be authorized first.

Many organizations want to make it as easy as possible for people to file requests, says Narang, but if they can’t roll out the software update right away, they should turn it off until they can patch.