path-byp

Path Sanitation Bypass

A Path Sanitation Bypass attack allows an attacker to access a file by requesting a relative filepath (i.e. using .. ) and bypassing an access control scheme that fails to properly account for input of this type. Note that "accessing a file" is not restricted to reading the contents of that file. Some path-byp attacks might instead provide a path which forces the program itself to read or execute a file to the advantage of the attacker.

Attack Vector

This vulnerability is potentially present anytime a program treats user input as a file path (or part of a file path).

Impact

All the severity categories can be achieved using this attack. If the vulnerable program returns a file to the user based on some file path input, then the attack is likely data exfiltration. If the vulnerable program reads or executes the some file based on user input, then the attack may result in arbitrary code execution.

Defenses

Defending against Path Sanitization Bypass attacks requires proper path sanitization. Exactly what this means is highly context dependent. There are some universal strategies that are often useful:

• resolve relative paths to absolute paths before applying access control logic.
• Keep a safelist of files that the program can access and reject requests to access all other files (this is a very conservative strategy that may be infeasible in many context)

Tips for Demonstration

To demonstrate a Path Sanitization Bypass attack you should:

1. Identify the vulnerable program

2. Provide the input that results in an attack

3. Explain why the path sanitization you are bypassing fails to prevent your attack

4. Show the result of your attack and categorize its impact

srowley1, wschor