CWE-22, also known as a path traversal vulnerability, refers to the ability of unauthorized parties to access restricted directories due to a lack of security.
Path traversal allows unauthorized users to access your files. Some of the files are benign, while others may provide them with the information they need to access more sensitive areas. In some cases, the malicious party may be able to modify the files they access.
Engaging in a path traversal attack does not require any special tools; the malicious party only needs access to a web browser and the patience to sift through many directories to find files and directories of interest.
As an example, let’s take a look at an e-commerce website that renders product images as follows:
Notice that the showImage parameter accepts a file name of an image, then retrieves that image. On the back-end, showImage appends the file name to the base directory where the files are stored to perform these actions (e.g., /src/images/product.png).
Without proper protection (perhaps in the form of allowlisting, mapping, or sanitization), the malicious party could leverage the showImage method to retrieve other files.
They could also attempt to append /.., which allows them to step up one level in a directory structure. Perhaps they could even use something like /src/images/../../../ to get to the root level directory, offering a birds-eye view of the entire application.
Path traversal vulnerabilities are a problem if an application accepts user input (either directly or indirectly) and uses that information to form file paths executed by the server. To mitigate this type of vulnerability, the following options are available:
- Attack surface reduction: store as many files outside of the web document’s root or in a separate directory with the appropriate access controls
- Enforcement by conversion : when accepting user input, create a mapping of allowable values; reject any that aren’t included on the mapping
- Environment hardening : run your code using the lowest privileges required; in such cases, the impact of path traversal attacks can be mitigated
- Input validation : accept input, decode and canonicalize it, make sure it matches the applications’ current internal representation, then validate it. There are language-specific functions that can assist with this type of input validation
- Library/framework : use a library or framework that offers protection against unauthorized path traversal
- Sandboxing : run your code in an environment that’s strictly separated from the operating system
Path traversal attacks occur when an unauthorized party can access files they should not by guessing probable file paths. The severity of the exploit depends on the types of files that the malicious party can access.