What is Directory Traversal?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey what's up integrity fam we are having a another session today another academy lab around directory traversal and if you don't know what that is for now then let's just immediately jump into your lab because it will make it way clearer and today's lab is once again provided by portswigger and what we are having over here is a little shop application with multiple products and we're just going to have a look at our first product over here which is called burp protection there's a little title to it it has a price it has an image and if we scroll down then we will also see that there's a little bit of a description to it but all of that doesn't seem to be super interesting so we're looking at burp suite in the back and there's a couple of requests going out as we can see so scrolling over those we see that once again this is not really interesting but what we're realizing is that we're blending out images css and other binary at this point so for this lab we're going to include images and once we hit the apply button we'll actually see that there is more requests floating around in burp's overview right now and we're seeing all the images that were loaded once we loaded the shop and if you look closely in the response tab you can see that all those images are getting returned so we're requesting a specific image lying around at a server and the server says well here you go here is your image take it and just show it within the browser so we're going to take one of those right now and send it to repeater and if we send it again we do see that the image is returned all over again so what happens if we try to escape out of this path so right now we're asking for 42 dot jpeg and this is lying somewhere on a server we're just assuming right now that it is lying on a linux server so what happens if we use dot slash on a linux file system we're going back in terms of directories we're moving up and if we do this over and over and over again what you can see over here is that we're moving to the root directory and then we can say okay let's go to at c and let's display the password file so once we do that we send it to the application to the server and we do see that we actually get this file and in that sense we were traversing the directory we were going up all right so we have solved this lab but today we're not going to stop here because right now this was like a pretty generic example and i want to show you some other examples for example right now where traversal sequences what we have used right now are blocked so let's have another look at the repeater tab over here we're once again getting our image and we just you know try it out again to use our traversal payload so we're going to say dot slash dot slash yada yada at c password and once we hit the send button it tells us oh there is no such file so this didn't work out so at this point we know that there is some sort of sanitization in place or at least something in place that is not allowing us to to step up so we can what we can try to do right now is we can just use an absolute path instead of a relative path so we're going to send let's do the application one more time and there you go we got our file once again and this is another way or like an option like a payload option that you can try for direct reversals i want to have a look at another one together with you so right now we are once again in burp suites repeater and we're using our dot dot slash payload like usually a couple of times to move up to the root of the directory and we're going to send it and it tells us again no such file we've seen this 30 seconds ago and now what we're trying to do is we're trying to alter the payload a little bit so instead of just saying dot dot slash we're going to say dot dot dot dot slash slash so we're just using like every single character two times and the idea here is that the dot slash is getting stripped and then the remaining items the remaining characters are once again dot slash and in that lab this actually worked out when we're having a file again so we've solved the lab and yeah with that let's reiterate as usual what we have seen and learned so we did see a web application that relies on files that lying around on the server which is pretty usual in our case today we saw images getting loaded from a directory that could be for example slash bar slash www slash images and then within that directory you would find image1.png image2.png or they could have like a name and we were moving back up that directory to the root of our entire file system and then from there on we could navigate to files where we know that they exist and with the atsi password file on a linux file system we know that it's located under slash at c slash password and this is exactly what we included we included a local file off that server and we got it printed in the server response and this is it if you have any remaining questions please put them down below in the comment section also give this video a like and yes subscribe to our channel and i'll see you folks soon

Info

Channel: Intigriti

Views: 42,906

Rating: undefined out of 5

Keywords: intigriti, hackademy, vulnerability, chaining, enablement, education, directory, traversal

Id: 17KYOIf5ZbU

Channel Id: undefined

Length: 6min 31sec (391 seconds)

Published: Thu Dec 23 2021