What is Directory Traversal?


The course is part of this learning path

What is Directory Traversal?

In this course, you will learn how you can view unauthorized files and folders using a technique known as directory traversal and learn how to automize the process with a tool called dotdotpwn.


Hi, within this lecture, we're going to see what is directory traversal and how we can use it to view the files and folders that are resided in the web server if there is any vulnerability. So, I'm in my VirtualBox, I'm in my Kali Linux right now. And bWAPP is also running so I'm reaching the bWAPP  as we did in the previous sections. So, if you skip the previous sections, I suggest you go back and watch them. So, what I'm going to do? I'm going to open here our 'Menu' and I'm going to find the 'Directory Traversal'. So, it should be under, I believe, Missing Functional Access Control. Here you go. As you can see, there are two kinds of Directory Traversals under this Missing Functional Access Control. And one of them is Directories and the other one is for Files. So, that's okay. We can actually do the same thing. It's almost exploited in the same way. Files, let us see the files, and Directories, let us see the directories. Both of them are bad for websites and web applications because it allows us to see the files and folders that are not even related to the website itself. For example, if we can't find a Linux server, we can see the '/etc/passwd' like we have seen before. So, we're going to see both of them. But first, we need to understand how this works. So, let me go to 'Files', for example, and start with files. So, if you look at over here, we don't see anything. But in the parameters, in the URL over here, we see there is something called php?page. So, it's taking in a parameter of page, and the page is message.txt. So, there is a message.txt in somewhere in the Linux server, in the web server that we are running. And it's displaying that message.txt file. So, what if we find a way to go back in the Directories or go forward in Directories and see the other files. So, how we can do that? So, let me try to 'Open' the Burp Suite to understand what's going on in here. So, it's always a good idea to start with Burp Suite as we did before. And with doing that, we learn more in-depth about Burp Suite as well. For example, in this project, we don't even need Burp Suite, but I'm going to show you anyhow. So, my Intercept is on right now and I'm going to 'Turn On' the FoxyProxy. So, I'm just going to select the 'Burp Proxy'. And here you go. Now, it's running. Now, I'm going to 'Refresh' this and it will intercept my request. So, if we look at the request, we can see it's a GET request, first of all. And it's trying to go to that webpage and we are seeing the parameters over here. We haven't seen that tab, I believe. So, there is a Params tab here. So, you can actually see the parameters that are being sent in the request within this site. Of course, in the Raw tab as well, we have seen the parameters. And if we want to, we can change the parameters, but we can do that from here as well. It would be more structural. And we're going to do that in the following lectures. So, even though we didn't see the message.txt in the URL right now, we know that it's trying to load something called message.txt. So, it's loading a file. So, I'm going to turn this off. I just wanted to show you this. I'm going to 'Logout' of this and just 'Turn Off' the FoxyProxy. So, over here, as I said before, it's loading a message.txt we see it in the URL as well. Even though we didn't see it, we could have seen it in the Burp Suite. So, what if I can't see or load the other files in here? For example, if I just write, 'etc/passwd', will it load it? So, let me show you how this works. So, I'm in my Kali Linux. And our Kali Linux also has a web server capability. So, it has Apache Server. We can run it and we can see what's going on in a web server. So, I'm going to show you how to find it and where to put your files. So, we actually have a capability of running your website using Kali Linux. And by doing that, we're going to understand how website files and folders system works. So, open the 'File System' and go to a 'var' folder. It's resided under 'var', 'www', and 'html'. So, this is the default folder for your Apache Server inside of your Kali Linux. And as you can see, there is something called index.html. So, I have previous files and folders over here. Maybe, you don't have that. Maybe, you only have index.html and that's perfectly fine. If you 'Open' it, you will see something like this. So, this is a default HTML file for Apache2. So, if I start my server, I will see this when I type my IP Address. So, the point is I can add any folders or any files over here to use it in my website. For example, right now, I have a backdoors folder but I can just add a test folder. I can just add another folder. I can add images. I can add text files. Like, it loads the message.txt in bWAPP and I can have the same thing over here as well. But, if I add it, it will be added into var/www/html. So, maybe I have three folders nested inside. And then, my message.txt is resided in one of the folders. So, I cannot definitely know where the message.txt might be in the web server. Even though I can assume there is a var/www/html folder, I still don't know. So, let me show you what I mean. I'm going to go to my own 'var/www/html' folder like this. And inside of this folder, I can just say, 'ls' and I can see all the files and folders that we have seen. Now, I can create a new folder by running 'mkdir'. So, this is the short for make directory. If I say, 'test', then it will create a folder called test. If I go into test, then now I'm inside test. So, I can create a text file over here like 'nano test.txt'. So, this will create a test.txt file and I can just write whatever I want. After that, I can hit 'Control + O'. Hit 'Enter' and 'Control + X' to get out of this. 'Control + O', 'Enter', 'Control + X' and you will see test.txt is created for you. Now, this message.txt could have been created in the same way. Maybe, it's under the test folder. Maybe, it's under some another folder. Maybe, it's under message folder. So, I have to know what folder it's resided into, or I can try to assume something, or can try to find some way to understand where it's resided so that I can go back one folder, or two folder, or three folder to reach the root folder and then just do my way up from there. Like, work my way up from there to /etc/passwd, for example. Like, I can just say, 'cd ..', 'cd ..', 'cd ..' over here, like four times, in my case. Then, I can go to 'cd /etc'. And then, I can just get the password file. But, I don't know how many cd .. do I have to do here. So, we're going to try this and try to find the perfect combination to reach one of the files that we can see if there is any directory traversal vulnerability, of course. So, that's what we're going to do. But, we're going to stop here and we're going to do that in the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.