Categories: Security Tips

What Is Path Traversal Attack And How To Prevent It?

Commonly known as directory traversal, a Path Traversal attack aims at gaining unauthorized access to directories and files stored outside the web root folder (www/var).

It usually targets config files that are not intended for public view. It gains access by manipulating (../) dot-dot-slash files along with its different variants and file paths. Apart from this attackers also exploit web server vulnerabilities. They use absolute or relative file paths instead of valid file names to access system files, application source code, and server logs along with few other files containing confidential information.

How To Check If You Are Vulnerable To Directory Traversal Attack?

  • Avoid storing files containing sensitive information inside the web root.
  • If you are working on IIS servers then ensure that the web root is not included in the system disk.
  • Be fully aware of the operating system of your device and how it processes the filenames given to it.

How To Prevent Path Traversal Attack?

Here are a few simple methods that will help you stay protected from a Directory Traversal Attack.

  • Ensure that you give appropriate permission to the files and directories. On Linux devices, the PHP file runs as www-data users which can prevent users from accessing system files but it does not prevent them from accessing config files specific to web-applications.
  • Try to process URI files that do not lead to file requests.
  • Whenever you are making a URI request for a file/directory, try building a proper file/directory path and ensure that you normalize the characters as well.
  • Once you have created a fully normalized and qualified Document Root with a specific string length N. Ensure that no files are served outside this directory.
  • Another point that you need to consider to avoid the Path Traversal attack is that the N character of the Document Root should always match the ones of the qualified path to the requested file.

In addition to this, keep your Web Server software updated with the recent patches. This will keep you protected and will also reduce the security risks to a great extent.

Adrian

Recent Posts

Block Spotify Ads: Is it Worth and Legal? Useful Tips

As a Spotify Free user, you might feel like you want to block Spotify ads. This could be because they…

12 months ago

Hacked Spotify Account? Tips to Regain Access

As it is one of the most popular digital music, podcast, and video services, a hacked Spotify account may be…

1 year ago

Learn about Cracking. Essential Security Tips to Keep It Away

You may, or may not have heard about cracking. Either way, you should be aware of this threat, and learn…

1 year ago

What Is Victim Fraud Shame? Useful Tips to Fight Against It

Victim fraud shame is a very dangerous thing that may happen to those who become online victims. Some of them…

1 year ago

Five Steps to Stay Safe Online. Essential Security Tips

We assume that everybody wants to stay safe online. For this, some simple, still very important rules should be followed.…

1 year ago

How to Report Cybercrime? Become a Security Hero

Have you ever thought about how you could report Cybercrime? Maybe you or one of your friends became the victim…

1 year ago