Path Sanitization Bypass

In a path sanitization bypass attack, the attacker is able to gain unauthorized access to confidential files within the filesystem of the web server. Sites that do not adequately validate or sanitize user-provided paths are vulnerable to this attack.

Attack Vector

This attack entails using some sequence of “dot-dot-slash (../)” within the path portion of the URI to traverse up through the filesystem. The attacker may attempt to read sensitive information contained within or outside the webroot. This vulnerability results from a failure to safely parse user provided paths which allows attackers to escape the intended filesystem context.

Impact

The impacts of path sanitization bypass attacks can vary: the attacker may simply get access to the filenames within a directory or get read access to files containing sensitive information. In severe cases in which the user- provided path is used to create new files, this exploit may give write access to the application code or even operating system files, allowing the attacker to take control of the server, or change the site’s behavior completely.

Attack Examples

Example 1- Reading a secret file

Eve is a student in CS166 and has access to homework 1 located in http://cs.brown.edu/1660/students/homework1.pdf. She knows that the solution to homework 1 is stored at cs.brown.edu/1660/admin/solution1.pdf. However, the server maintains a list of files it should not serve to unauthenticated users, which includes this file. Instead of accessing it directly, she enters http://cs.brown.edu/1660/student/homeworks/../../admin/solution1.pdf. Because the server fails to properly resolve this path before checking if it points to a confidential file, Eve is able to exfiltrate homework 1’s solutions.

Defenses

The best way to defend against this attack is to not allow user inputs in the URI to determine file system calls. Furthermore, instead of storing files in the web server’s filesystem, they can be stored in a database that can only be fetched by server-side code. If user inputs are required to fetch files, due to design constraints, the next best option is to properly sanitize the given user input before processing it. This should ensure that the resulting path is contained within the base directory of the web root, and that it only refers to files that the user has access to.

Criteria for Demonstration

Provide the exact input you used to accomplish this attack, as well as the resources in the filesystem that you were able to access.

Resources

• OWASP

• Wikipedia

• PortSwigger

• Netsparker

---

knambara