Directory Traversal
Directory Traversal is considered as a form of HTTP exploit wherein a certain hacker is to use software on the web server in order to access data into the directory other than the root directory of the server. Once the attempt is considered to be successful, the hacker might already view the restricted files or could even execute commands into the server. This kind of attack is commonly performed with the use of web browsers. And also, any server that input data from the web browser that is not being validated could be vulnerable into the said attack. Directory Traversal has this goal of access a computer file which is not considered as accessible.
If a certain system is considered to be vulnerable with this directory traversal, a certain attacker might use the vulnerability in order to step out the root directory and so access parts of the file system. This would provide the attacker with the chance of seeing the restricted files or might even be more dangerous wherein it would allow the attacker to execute some powerful commands into the web server leading to full compromise of your system. Based on the website access set-up, the attacker might execute commands through impersonating as the user that is being associated with the site.
So how to check whether there are directory traversal vulnerabilities?
It is believe that the best way in order to check whether the site and applications are vulnerable about directory traversal attacks would be through the use of web vulnerability scanner. This scanner would crawl the entire site and could automatically check the directory traversal vulnerabilities. It would as well report the vulnerability and on how to fix it easily as well. It would also check for other web vulnerabilities like SQL injection or cross-site scripting. Directory traversal vulnerability is considered as result of insufficient validation or filtering of the browser input coming from the users.
And so you could prevent directory traversal attacks as well. First, there is a need for you to make sure that you installed the latest version of the web server software and make sure that all of the patches are applied. And then, filter any of the user input effectively. There is a need to ideally remove everything however the known good data as well as filter Meta characters coming from the user input. This would ensure that only the things that are entered in the field would be the ones submitted into the server.
But though some educated guesswork is being involved in terms of finding paths into restricted files on the web server still a skilled hacker could easily carry out directory traversal attack into a server that is inadequately protected through searching the directory tree. The risk of the said attacks might be minimized through installing software patches and updates, careful web server programming, using vulnerability scanners and filtering of the input from the browsers. Directory traversal is as well referred as backtracking or directory climbing.