Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about the harm of directory traversal attacks. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

The harm of directory traversal attacks: path traversal vulnerabilities allow malicious attackers to break through the security control of Web applications and directly access sensitive data that attackers want, including configuration files, logs, source code, etc., set up the server where the website is located can not work properly, and the website is paralyzed.

Benefits are more complex, there are some small ddos attackers, just for vanity, basically no interests, but organized, purposeful ddos attacks, there is a complex chain of interests, generally there will be a master to pay the attacker. For the victims, the harm is the website, the server where the website is set up cannot work properly, and the website is paralyzed. There's a lot of damage.

Path traversal vulnerabilities allow malicious attackers to break through the security control of Web applications and directly access sensitive data that attackers want, including configuration files, logs, source code, etc., with the comprehensive exploitation of other vulnerabilities, attackers can easily obtain higher permissions, and such vulnerabilities are also easy to be discovered, as long as the read and write function blocks of Web applications are detected directly by hand. Judging by the content of the returned page, it is very intuitive and relatively easy to use.

Extended data

Directory traversal attack

I. description

Attackers can obtain system files and server configuration files through directory convenience attacks. In general, they use server API, file standard permissions to attack. Strictly speaking, the directory traversal attack is not a web vulnerability, but a "vulnerability" of website designers.

If web designers design web content without proper access control, allowing http traversal, attackers can access restricted directories and execute commands outside the web root directory.

II. Methods of attack

An attacker traverses the high-level directory by accessing the root directory and sending a series of ".. /" characters, and can execute system commands or even crash the system.

Third, find loopholes

1. You can use the web vulnerability scanner to scan web applications, which can not only find out the vulnerabilities, but also provide solutions, and also find out whether there are sql vulnerabilities and other vulnerabilities.

2. You can also check weblog. If an unauthorized user is found to have access to a leapfrog directory, there is a directory convenience vulnerability.

Fourth, how to prevent

The most effective way to prevent directory traversal attacks is permission control and carefully handle the parameters passed to the file system API. I think the best way to prevent it is to combine the following two:

1. Purify the data: hard-code or uniformly encode the file name parameters passed by the user, whitelist control the file type, and reject the parameters containing malicious characters or empty characters.

2. Web applications can use the chrooted environment to include the accessed web directory, or use the absolute path + parameter to access the file directory so that it is within the access directory even if it exceeds its authority. The www directory is a chroot application.

The above is the harm of the directory traversal attack shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.