Directory traversal
Wednesday 2nd August 2023 (updated: Monday 1st January 2024)
PHP
Research
Development
Cyber Security
Sometimes refered to as file path traversal.
I have become fascinated with the techniques attackers may use to discover web server directories and files. Specifically, of course, those directories and files that are not intended to be obvious.
A simple look at robots.txt in the root directory may unearth some resources that aren't meant to be viewed. By virtue of the fact they are listed in the .txt file the website owners don't want search engines indexing them. This is all above board and I've found some interesting and unexpected resources using this technique.
So, I read with interest PortSwigger's page on directory traversal that introduced a terrible bit of coding that I confess I'd never considered. And that's with 25+ years web development under the belt.
<img src="/loadImage?filename=218.png">The thought of a file essentially pulling in a resource from any client defined resource on the web server terrifies me.
And it does of course lead to this type of activity (UNIX filesystem example):
https://insecure-website.com/loadImage?filename=../../../etc/passwdWith such an easy way to 'guess' at resource names it makes sense that some kind of a dictionary reconnaissance would be fairly straight forward.