1
00:00:00,810 --> 00:00:02,190
Pat traversal.

2
00:00:03,110 --> 00:00:08,360
Web applications sometimes require reading from or writing to a file system.

3
00:00:09,510 --> 00:00:15,990
So by crafting parameters that reference files on the system, yeah, it's possible to access other

4
00:00:15,990 --> 00:00:17,520
files that are stored on the server.

5
00:00:18,770 --> 00:00:25,490
So a path traversal attack may enable us to read sensitive data, including passwords, application

6
00:00:25,490 --> 00:00:28,100
logs and oh so much more.

7
00:00:29,960 --> 00:00:37,720
And we can view security critical items such as configuration files and software binaries as well.

8
00:00:39,040 --> 00:00:47,290
Now, if we're really good, we're able to navigate out of the Webroot folder and then we can perform

9
00:00:47,470 --> 00:00:49,150
paff traversal attacks.

10
00:00:50,750 --> 00:00:55,820
So users should only be restricted to the Web directory.

11
00:00:56,790 --> 00:01:01,830
OK, and they should not be able to access anything above the webroot.

12
00:01:04,140 --> 00:01:10,950
Now, the most basic path traversal attack is using the dot, dot, slash to move up one directory.

13
00:01:12,330 --> 00:01:16,290
And most Web servers have been locked down to prevent this attack.

14
00:01:17,200 --> 00:01:18,140
But you never know.

15
00:01:18,520 --> 00:01:20,140
Some will still accept it.

16
00:01:21,200 --> 00:01:25,100
OK, and so let's go to Calli, log in to be Web.

17
00:01:26,830 --> 00:01:31,690
Use the drop down menu and open directory traversal directory.

18
00:01:34,020 --> 00:01:37,620
Now, there's nothing strange on the first page at first look.

19
00:01:38,730 --> 00:01:44,490
But look at this, see, when you start to pay attention to the Eurail, the directory parameter in

20
00:01:44,730 --> 00:01:47,490
the early can reveal something.

21
00:01:48,770 --> 00:01:50,210
So let's delete this value.

22
00:01:51,740 --> 00:01:54,530
So the warning this directory doesn't exist appears.

23
00:01:55,040 --> 00:01:55,600
OK.

24
00:01:57,220 --> 00:02:03,040
This means that parameter takes the name of the folder on the file system and prints the content of

25
00:02:03,040 --> 00:02:03,670
that folder.

26
00:02:04,620 --> 00:02:10,800
So now we can guess folder's generally residing in applications such as JavaScript.

27
00:02:12,410 --> 00:02:13,130
Images.

28
00:02:14,840 --> 00:02:15,620
Stylesheets.

29
00:02:18,050 --> 00:02:19,040
And, of course, admen.

30
00:02:20,620 --> 00:02:21,940
Oh, it works perfectly.

31
00:02:23,610 --> 00:02:27,210
OK, so then we can try to traverse in the directories now.

32
00:02:28,440 --> 00:02:32,460
So for this, we need to climb up in between folder's.

33
00:02:33,810 --> 00:02:40,170
Now, I know that the back end is Lennix, and so that means I'm going to use Linux filesystems placeholders

34
00:02:40,170 --> 00:02:42,300
to traverse between folders.

35
00:02:43,820 --> 00:02:47,720
So first thing to do is print what's inside the current folder.

36
00:02:49,030 --> 00:02:52,780
And the application executes the placeholder for the current directory.

37
00:02:54,220 --> 00:02:57,520
And look at the documents and folders under the current directory.

38
00:02:59,860 --> 00:03:06,250
Right, so we are still in the current directory now, climb up one level using this placeholder.

39
00:03:07,470 --> 00:03:08,100
And it works.

40
00:03:09,030 --> 00:03:13,500
Climb up one more level again and climb up one more again.

41
00:03:15,100 --> 00:03:16,840
I think we should be in the directory now.

42
00:03:18,270 --> 00:03:20,930
But we can try to climb up one more again.

43
00:03:22,450 --> 00:03:26,050
All right, so climbing up is done, so now it's time to traverse.

44
00:03:27,300 --> 00:03:28,500
Visa home directory.

45
00:03:29,720 --> 00:03:32,180
And these are the user's home directories.

46
00:03:33,560 --> 00:03:35,120
So we'll go to B's folder.

47
00:03:36,970 --> 00:03:38,800
OK, to go to document.

48
00:03:40,020 --> 00:03:41,550
And view the scripts folder.

49
00:03:43,300 --> 00:03:46,690
And here are some scripts that run over the system.

50
00:03:47,550 --> 00:03:52,620
So in a situation like this, you can view many important files and configurations, right?

51
00:03:53,570 --> 00:04:00,320
In past reversal, I generally go to the ETEK directory and show password file.

52
00:04:01,670 --> 00:04:08,480
But this vulnerability these days works really only to view the content of the folders and not the files

53
00:04:08,480 --> 00:04:09,170
themselves.

54
00:04:10,370 --> 00:04:14,210
OK, so anyway, let's change the level now to medium.

55
00:04:15,630 --> 00:04:21,150
OK, and put the current folder placeholder to check traversing and of course, we get a warning.

56
00:04:22,190 --> 00:04:23,270
We are detected.

57
00:04:24,470 --> 00:04:28,580
So let's see if that means that we also cannot climb.

58
00:04:29,150 --> 00:04:31,580
OK, so sadly, that's true.

59
00:04:31,790 --> 00:04:32,570
Climbing is fun.

60
00:04:33,710 --> 00:04:41,630
But what happens if you just drive forward slash oh, that works, OK, so it prints the content of

61
00:04:41,660 --> 00:04:42,560
the root directory.

62
00:04:44,190 --> 00:04:47,610
I think the developer is escaping the dot.

63
00:04:49,220 --> 00:04:51,560
So we can check the code later.

64
00:04:52,190 --> 00:04:53,810
Right now, let's go to B's folder.

65
00:04:55,990 --> 00:05:03,750
And that's nice this way we can traverse between folder's and now let's change the level of high, so

66
00:05:03,760 --> 00:05:04,900
delete the current value.

67
00:05:06,100 --> 00:05:11,530
An error message appears and hasn't stopped us before, so let's try to climb.

68
00:05:12,520 --> 00:05:13,570
And traverse.

69
00:05:16,090 --> 00:05:17,360
OK, so that's not working.

70
00:05:18,220 --> 00:05:20,290
So now let's go and view the code.

71
00:05:21,380 --> 00:05:28,040
So if you directory traversal to page and scroll down to code.

72
00:05:29,190 --> 00:05:32,460
So here's a function called Show Directory.

73
00:05:33,540 --> 00:05:35,820
And it has a directory parameter.

74
00:05:37,310 --> 00:05:41,360
Check and see if the directory exists to the content of that directory.

75
00:05:42,850 --> 00:05:44,740
Scroll down a little bit more.

76
00:05:46,330 --> 00:05:51,280
And the directory parameter and you are l passes to the show directory function.

77
00:05:52,590 --> 00:06:00,450
So the security level's low, show directory function just executes if the level is medium, the parameter

78
00:06:00,450 --> 00:06:05,910
we provide from the URL is checked with directory traversal check to function.

79
00:06:07,080 --> 00:06:11,790
And for the high level directory traversal, check three is used.

80
00:06:13,770 --> 00:06:18,870
All right, so now let's have a look at these two functions that scroll down to the functions that were

81
00:06:18,870 --> 00:06:19,380
searching.

82
00:06:20,340 --> 00:06:21,630
All right, so here's the last one.

83
00:06:22,920 --> 00:06:26,730
That's why we are restricted to Webroot directory only.

84
00:06:28,200 --> 00:06:34,470
All right, so now let's go to the other function, and it checks for placeholders that we use to climb

85
00:06:34,470 --> 00:06:35,160
and reverse.

86
00:06:36,630 --> 00:06:42,060
All right, so you get the idea, you can always analyze a code more line by line by yourself.