The traversal directory attacks consist in changing the path of the tree in the URL in order to access unauthorized directories of the site.
14 days Free trial
The traversal directory flaw allows hackers to recursively browse all files and directories on a server. Any web server with badly controlled user entries is vulnerable to this attack type.
If the attempt succeeds, the attacker can view and modify confidential files, configuration files, and use them to execute malicious codes he created. A hacker may be able to read the contents of confidential files stored on a server and circulate these sensitive data, or sell them to other malicious people.
On vulnerable servers, one just has to go up the path with several strings such as "../" : http://domaine.com/../../../../directory/file
It is also possible to encode some characters :
Via URL encoding :
%2F is the encode value of « / »
Either with a Unicode encoding we get :
%u2216 is the encode value of « / »
To protect yourself against this type of vulnerability it is essential to configure your web server properly in order to prevent a user from navigating on pages he is not supposed to access.
A few advices:
Detect security flaws on your website or web application thanks to the Web Vulnerability Scanner of HTTPCS. This online security tool allows you to detect any flaws you have (top 10 OWASP, CVE and other vulnerabilities implemented in the robot) to ensure the best protection of your site on a daily basis. Easily schedule automated audits, discover your vulnerabilities and find out what patches to apply to avoid being hacked.