Tactical Advice

Directory Traversal Attacks

Don't fall victim to directory traversal attacks that target Web servers.
This story appears in the March 2007 issue of BizTech Magazine.

When it comes to security, Web sites unfortunately take the back seat.

Sure, their handiness has made Web applications ever more popular with users. But their status as a channel between a company’s databases and external users also leaves them particularly susceptible to security threats from hackers.

There are many ways a site can be vulnerable: cross-site scripting, Structured Query Language injection and directory traversal. Of the three, the least talked about is the directory traversal attack. Possible targets include files that contain passwords, private keys for Secure Sockets Layer certificates and even Web server logs.

What Is a Directory Traversal Attack?

In a directory traversal attack, hackers exploit a vulnerability in a Web server’s HyperText Transfer Protocol by accessing restricted directories and then executing commands outside of the Web server’s root directory.

A typical Web server offers two means of providing security against such threats: access control lists (ACLs) and the root directory. The root directory is a precise directory on the server file system that does not allow ordinary users to access specified sensitive files on the server, namely the command file on a Windows platform and the /etc/passwd file on Unix and Linux platforms.

The Web administrator adds users and groups to the ACL depending on their access needs, with authorized users able to access, modify and execute certain files on the server. The root directory keeps users confined to specific directories on the server file system beyond which they cannot gain access. For example, when the default root directory for the Internet Information Server (IIS) on Windows is c:\inetpub\wwwroot, a user would not have access to c:\windows but would have access to c:\inetpub\wwwroot\news as well as other directories and files under the root directory — as long as the ACL has authenticated that user. When the Web application contains dynamic pages, browser input is generated via “GET” or “POST” requests and a “GET HTTP” request URL for instance, would appear as:

In this example, the browser requests the dynamic page stuff.asp from the server, while it sends the view parameter (with material.html as its value). stuff.asp honors the request, retrieves the material.htm file from the server’s file system and sends it back to the user as a display on the browser. Hackers with Web browsers and an inkling of the location of default files and directories on a system would be able to carry out a directory traversal attack. Using our example, a hacker would likely input the following, based on the assumption that stuff.asp will retrieve system files:

The dynamic page would oblige by retrieving the system.ini file for display to the user. Where “../” appears, the system is being instructed to move up one directory, not an unusual operating system command. With a little trial-and-error effort, a hacker could readily determine how many directories he would need to go up to find the Windows folder on the system. 

What Can Attackers Do if Your Site Is Vulnerable?

Vulnerability can exist either in the Web server software itself or in the Web application code.

Imagine you have spent a couple of years building a community of users for your business’ site. From a marketing perspective, this is a living document that helps you tweak your service or launch new products. One day a hacker comes along, puts a database command into your login page and gains entry to your forum — giving him the ability to essentially upload any comment he wants, even delete all your posts.

This is simple Web site defacement. Sadly, more treacherous hackers are not interested in such exploits. Professional hackers target data; they will employ almost any means to get at your data and will sell it for illegal uses such as credit card fraud or cyberterrorism attacks.

How to Check for Vulnerabilities

A Web vulnerability scanner is a good tool for determining weaknesses in your applications and Web sites. A scanner can run through an entire site checking for directory traversal susceptibility (as well as cross-site scripting, SQL injection and other vulnerabilities) and will suggest repairs. Although a vulnerability scanner is helpful, site security still remains the most overlooked aspect of protecting sensitive corporate data. A Web site audit will offer a more thorough examination of a site’s weaknesses.

How to Protect Against a Directory Traversal Attack

Placement of the root directories of your Web server on nonsystem, separate partitions can thwart traversal attacks, as attackers will not be able to access system files and tools. Users cannot traverse drives because most Web servers have configuration options to turn off traversing; select this option rather than keeping the default Web server Web root directories. (Note: Web sites that are Windows-based use the \inetpub\wwwroot as the default directory for Web site content location). For systems installed on the c: drive for instance, moving your site and content directory to drive another would be a better option. As always, maintaining up-to-date security patches for your Web server and applications goes a long way toward keeping attackers at bay, as does validating user input.

By requiring validation, only authorized or “white-listed” user input will be processed. Lastly, if you are using an IIS Web server, you may find it helpful to download and use the IISLockdown, a free tool available at www.microsoft.com/technet/security/tools/locktool.mspx.

Douglas Schweitzer, A+, Network+, iNet+, CIW, is an Internet security specialist and author of several information security books.
Sign up for our e-newsletter


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.