322 Chapter 13 ■ Web Servers and Web Applications
With this URL, the browser requests the dynamic page show.asp from the server and with
it also sends the parameter view with the value history.html. When this request is executed
on the web server, show.asp retrieves the file history.html from the server’s filesystem and
returns it to the requesting party. Through some analysis an attacker can assume that the
page show.asp can retrieve files from the filesystem and craft a custom URL:http://beta.canadiens.com/show.asp?view=../../../../../Windows/system.iniThis will cause the dynamic page to retrieve the file system.ini from the filesystem and
display it to the user. The expression ../instructs the system to go one directory up, which
is commonly used as an operating system directive. The attacker has to guess how many
directories to go up to find the Windows folder on the system, but this is easily done by
trial and error.The actual directory structure will vary depending on the server itself, so
this process may require a considerable amount of trial and error. However
consider the fact that it is not uncommon for software to be installed into
default folders and structures.Of course, you don’t need to use code to attack the server; you can use just the browser
alone. A web server may be completely open to a directory traversal attack and only
waiting for an ambitious attacker to track down and use sample files and scripts against it.
For example, a URL request that makes use of the scripts directory of IIS to traverse
directories and execute a command can look like this:http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\The request returns a list of all files in the C:\ directory by executing the cmd.exe
command shell file and running the command dir c:\ in the shell. The %5c expression that
is in the URL request is a web server escape code used to represent normal characters. In
this case %5c represents the character \.Most modern web servers check for the presence of incorrect or improper
codes and block them from being used. However, with such a large
number of web servers of all different types, it is more than possible that
the server you choose to attack will not filter for these codes.Directory Traversal Attack Countermeasures
A handful of methods can be used to thwart directory traversal attacks, such as:
■ Running modern web server software or ensuring that up-to-date patches are installed.
■ Enabling filtering of user input to the web server. It is common for modern web servers
to include the ability to filter out nonstandard requests or codes.