CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
Last updated
Overview
CAPEC-139 (Relative Path Traversal) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Fingerprinting of the operating system] In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.
- Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
- TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
- Induce errors to find informative error messages
- Step 2Explore
[Survey application] Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.
- Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL.
- Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
- Use a browser to manually explore a website and analyze how it is constructed. Many browser plug-ins are available to facilitate the analysis or automate the URL discovery.
- Step 3Experiment
[Attempt variations on input parameters] Using manual or automated means, an adversary attempts varying relative file path combinations on all found user input locations and observes the responses.
- Provide "../" or "..\" at the beginning of any filename to traverse to the parent directory
- Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as "../".
- Use a proxy tool to record results of manual input of relative path traversal probes in known URLs.
- Step 4Exploit
[Access, modify, or execute arbitrary files.] An adversary injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.
- Manipulate file and its path by injecting relative path sequences (e.g. "../").
- Download files, modify files, or try to execute shell commands (with binary files).
What the attacker needs
Prerequisites
- The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands.
Skills required
- Low skill: To inject the malicious payload in a web page
- High skill: To bypass non trivial filters in the application
Consequences
What a successful CAPEC-139 attack can achieve.
Modify Data
Affects: Integrity
Read Data
Affects: Confidentiality
Execute Unauthorized Commands
Affects: Confidentiality, Integrity, Availability
Run Arbitrary Code
Bypass Protection Mechanism
Affects: Access Control
Unreliable Execution
Affects: Availability
How to mitigate it
Defenses that reduce the risk of CAPEC-139.
- Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement
- Implementation: Perform input validation for all remote content, including remote and user-generated content.
- Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.
- Implementation: Prefer working without user input when using file system calls
- Implementation: Use indirect references rather than actual file names.
- Implementation: Use possible permissions on file access when developing and deploying web applications.
Examples
The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file. http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string. Then an attacker creates special payloads to bypass this filter: http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd When the application gets this input string, it will be the desired vector by the attacker.
Frequently asked questions
Common questions about CAPEC-139.
- What is CAPEC-139?
- An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
- How does a Relative Path Traversal attack work?
- It typically unfolds over 4 phases. It begins with: [Fingerprinting of the operating system] In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.
- How do you prevent CAPEC-139?
- Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement
- What weaknesses does CAPEC-139 target?
- CAPEC-139 exploits 1 CWE weakness, including CWE-23 (Relative Path Traversal).
- How severe is CAPEC-139?
- MITRE rates CAPEC-139 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-139
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.