Path Traversal
Overview of the Vulnerability
Path traversal uses a server misconfiguration to access hidden files and directories that are stored on the served web application. This can include sensitive operating files, code and data that runs the application, or in some cases, user credentials.
An attacker can leverage the path traversal vulnerability in this application to gain access to system files in a folder of a directory that is not intended for public access.
Business Impact
Path traversal can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in data theft and indirect financial losses to the business through the costs of notification and rectifying and breached PII data if an attacker can successfully exfiltrate user data.
Steps to Reproduce
Use burp to replicate this request:
GET /api../README.md HTTP/2
Host: site.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Connection: Keep-alive
Note that it was possible to read the contents of the file.
I performed other checks, but I was unable to read the name of other commonly identified files, but you can better validate by checking the name of other files that actually exist on the server and properly validate the vulnerability.
Also note that the information contained in the readme file is partly from the external environment, where it mentions internal files, shows the execution of a cron job, displays the name of the internal server, among other information.
PoC:
Reward/Status:
Top comments (0)