What is a path traversal vulnerability?

A path traversal attack (also known as directory traversal) aims to access files and directories stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files.

It should be noted that access to files is limited by system operational access controls (such as when a file is locked or in use on the Microsoft Windows operating system).

This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing”, and “backtracking”.

By default, the web assessment profile includes HID-3-5-10133, which provides two methods for finding path traversal vulnerabilities.

Basic Method

• Small payload list of well-known files
• Detection based on string matches in responses
• If our plugin finds a path traversal vulnerability, it also tries to check if it could
  escalate that into a local file inclusion RCE (via log poisoning)

Advanced Method

Add HID-3-0-10230 to the web assessment profile, or import the "Web scan - Advanced config" profile from the profile library in your Security Center.

The assessment will first run the basic method, then the advanced method.

• Big payload list (increase in total assessment duration)
• Detection based on response lengths (possible false positives)