Directory Traversal Attacks

By Paladion

June 2, 2006

It is very essential to control the access to web content for running a secure web server. Directory traversal is an exploit that takes advantage of the lack of controls on the web server to access restricted directories and execute commands. So how can we prevent these directory traversal attacks on the web servers?

  1. Applying latest security patches
  2. Turning off directory-browsing
  3. Performing strong input validation with white lists
  4. Placing web-root directories and virtual directories on a separate partition from the system files
  5. Using tools
  6. All of the above.

We can see that there is no one foolproof solution to this attack. A combination of any of the above-specified methods could provide the best possible defense.

  • Application of latest security patches for the web server and application ensures that an attacker cannot take advantage of any vulnerability that may lead to such an attack.
  • Most web servers have configuration options to turn off directory traversing. But an attacker can still perform directory traversing by exploiting any weakness in the application.
  • Validating user input with white lists ensures that the application accepts only the  expected input and rejects all other invalid input. With such a white list, any suspicious input, such as “../”, or one which contains system file path names, will not be processed by the application.
  • Most methods of directory traversal will not work across drives. Placing web-root and virtual directories in a separate partition will ensure that system files and tools cannot be accessed by the attacker. Do not use default web-root directories of web servers.
  • There are also tools available for this purpose. Some of the tools that can be used to protect against directory traversal attacks are:

Tags: Quiz