Path Traversal & Local File Inclusion
Path Traversal (CWE-22 - CWE-40) is a vulnerability that occurs when user-controlled input is used to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory. When the software does not properly neutralize special elements within the pathname malicious input can cause the pathname to resolve to a location that is outside of the restricted directory.
Path Traversal vulnerabilities are also used by attackers to perform Local File Inclusion (also known as LFI) attacks.
Recommended Security Controls
According to the OWASP and MITRE recommendations, to be protected against Path Traversal and Local File Inclusion, applications must:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e. use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
If user input cannot be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
How Waratek’s Protection Works
Waratek offers protection against Path Traversal and Local File Inclusion attacks via the traversal declaration in the ARMR Filesystem rule. This rule uses the tainting engine to track all user input, hooks into Java’s File API and monitors file system operations. When a file system operation occurs, the Waratek agent checks if the file system path contains user-controllable (tainted) characters that traverse the filesystem.
The traversal(relative) rule detects if user-controlled input is used to traverse the file system using relative file system sequences such as “.." that can resolve to a location that is outside of the current directory.
The traversal(absolute) rule detects if user-controlled input is used to traverse the file system using absolute file system sequences such as “/path/to/file" that can resolve to a location that is outside of the current directory.
By specifying traversal() without any parameters, the rule protects against both relative and absolute path traversal attacks.
By default, when no taint source is specified in the rule, the Path Traversal rule protects against attacks coming from HTTP requests. Users have the option to also enable protection against path traversal attacks coming from other sources such as relational databases and/or deserialization-based protocols such as RMI.
When the Path Traversal rule is enabled in deny mode and a path traversal attack is identified then the malicious file system operation is terminated and a Java exception is thrown back to the application, in accordance with the File API.
The Path Traversal rule is applicable and can be safely enabled in all applications, apart from when applications depend on user-controlled file system paths that contain either relative or absolute file system sequences.
Waratek recommends not to enable the Path Traversal rule in blocking mode if the application depends on traversing the filesystem with user-controlled inputs. Instead, consider enabling the rule in detect mode to monitor such operations.