A directory traversal vulnerability can exist either in the commercial Web

A directory traversal vulnerability can exist either

This preview shows page 91 - 93 out of 129 pages.

A directory traversal vulnerability can exist either in the commercial Web server itself or in the Web application code executed on the Web server. In the case of Web application code, dynamic pages usually receive input from browsers. Here is an example of such an HTTP request: In this example, the dynamic page requested by the browser is called getnews.asp and the browser sends the Web server the parameter item with a value of 20March2003.html. When executed by the Web server, getnews.asp retrieves the file 20March2003.html from the Web server's file system, renders it and sends it back to the browser which presents it to the user. A skilled attacker will immediately identify the tential problem in this request as the value of the parameter ends with a file extension, in this case "html". The attacker will then assume that the dynamic page retrieves the file from the file system and uses it. By ending the following URL to the Web server: WINNT/win.ini the attacker causes getnews.asp to retrieve the file ../../../../WINNT/win.ini from the file system and send it to the attacker's browser. The term "../" stands for "one directory up". This is a common operating system directive. Therefore, the string ../../../../WINNT/win.ini means "go four directories up and retrieve the file win.ini from there". The attacker needs to guess how many directories to climb in order to get to the desired directory. (In this example the attacker tries to get to "C:\" and is assuming that the Web server's root directory is located four directories below "C:\"). Guessing the exact combination is very easy. The attacker simply sends multiple requests until the desired result is achieved. The directory traversal vulnerability occurs when programmers fail to validate input received from browsers. In the above example, the getnews.asp code does not validate that the value of the item parameter does not exceed from the root directory. The directory traversal vulnerability actually bypasses the Web server's root directory restriction by introducing bad code into the Web server. Web applications are not the only source of directory traversal vulnerabilities in your Web site. Some vulnerabilities exist within
Image of page 91
Exam Name: Implementing Security for Applications with Microsoft Visual Basic .NET Exam Type: Microsoft Exam Code: 70-330 Total Questions: 85 Page 92 of 129 the Web server. These vulnerabilities can be part of sample files (e.g., sample ASP files) that exist on the Web server, or can be incorporated into the Web server software. For example, some earlier versions of the Microsoft IIS Web server included directory traversal vulnerabilities that allow attackers to fully compromise the Web server by executing files on the server. For example, the following URL: cmd.exe?/c+dir+c:\ would execute the cmd.exe file (operating system shell) and run the "dir c:\" command which lists all files in the C:\ directory. Notice the string "%5c" that appears in the URL.
Image of page 92
Image of page 93

You've reached the end of your free preview.

Want to read all 129 pages?