Kingdom: Input Validation and Representation

Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.

Directory Traversal

Universal

Abstract

Failure to sufficiently validate user supplied input can allow an attacker read arbitrary files on the system.

Explanation

Programmers sometimes allow the end users to specify the location of the application resources. Such a feature can be exploited for malicious purposes if the application fails to validate the user-supplied input and apply appropriate filters to purge use of special characters in the input. A directory traversal vulnerability occurs when the attacker can influence the path to files whose contents are returned by the application.

An attacker can modify the value of such parameters to view files using the web server's access permissions. By sending a specially crafted request containing directory traversal characters, the attacker can gain access to sensitive file contents. To exploit the vulnerability, the attacker can use parent directory references, such as "/../../"-style notation. This can lead to exposure of web application source code, usernames, passwords, and other sensitive configuration information. Additionally, the attacker can also execute arbitrary system commands.

Example 1: A payload using special characters to gain unauthorized system access and execute shell commands.

http://[target]/.../.../.../winnt/system32/cmd.exe?/c+dir

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 22

[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022

[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022

[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022

[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022

[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[9] Standards Mapping - FIPS200 SI

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[18] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution

[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation

[33] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022

[34] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal

desc.dynamic.xtended_preview.directory_traversal