1
00:00:00,810 --> 00:00:02,220
‫Pat traversal.

2
00:00:03,140 --> 00:00:08,390
‫Web applications sometimes require reading from or writing to a file system.

3
00:00:09,530 --> 00:00:16,010
‫So by crafting parameters that reference files on the system, yeah, it's possible to access other

4
00:00:16,010 --> 00:00:17,570
‫files that are stored on the server.

5
00:00:18,790 --> 00:00:25,510
‫So a path traversal attack may enable us to read sensitive data, including passwords, application

6
00:00:25,510 --> 00:00:28,120
‫logs and oh so much more.

7
00:00:29,980 --> 00:00:37,740
‫And we can view security critical items such as configuration files and software binaries as well.

8
00:00:39,060 --> 00:00:47,310
‫Now, if we're really good, we're able to navigate out of the Webroot folder and then we can perform

9
00:00:47,490 --> 00:00:49,170
‫paff traversal attacks.

10
00:00:50,770 --> 00:00:55,840
‫So users should only be restricted to the Web directory.

11
00:00:56,810 --> 00:01:01,850
‫OK, and they should not be able to access anything above the webroot.

12
00:01:04,200 --> 00:01:10,980
‫Now, the most basic path to virtual attack is using the dot, dot, slash to move up one directory.

13
00:01:12,380 --> 00:01:19,640
‫And most Web servers have been locked down to prevent this attack, but you never know, some will still

14
00:01:19,640 --> 00:01:20,170
‫accept it.

15
00:01:21,220 --> 00:01:25,120
‫OK, then, so let's go to Calli, log in to be Web.

16
00:01:26,860 --> 00:01:31,720
‫Use the drop down menu and open directory traversal directory.

17
00:01:34,040 --> 00:01:37,670
‫Now, there's nothing strange on the first page at first look.

18
00:01:38,760 --> 00:01:39,380
‫But look at this.

19
00:01:39,480 --> 00:01:47,520
‫When you start to pay attention to the Eurail, the directory parameter in the early can reveal something.

20
00:01:48,790 --> 00:01:50,230
‫So let's delete this value.

21
00:01:51,790 --> 00:01:54,550
‫So the warning this directory doesn't exist appears.

22
00:01:55,130 --> 00:01:55,630
‫OK.

23
00:01:57,250 --> 00:02:03,040
‫This means that parameter takes the name of the folder on the file system and prints the content of

24
00:02:03,040 --> 00:02:03,700
‫that folder.

25
00:02:04,630 --> 00:02:10,840
‫So now we can guess folder's generally residing in applications such as JavaScript.

26
00:02:12,430 --> 00:02:13,150
‫Images.

27
00:02:14,870 --> 00:02:15,650
‫Stylesheets.

28
00:02:18,070 --> 00:02:19,060
‫And, of course, admen.

29
00:02:20,670 --> 00:02:21,960
‫Oh, it works perfectly.

30
00:02:23,630 --> 00:02:27,230
‫OK, so then we can try to traverse in the directories now.

31
00:02:28,480 --> 00:02:32,470
‫So for this, we need to climb up in between folder's.

32
00:02:33,830 --> 00:02:40,220
‫Now, I know that the back end is Lennix, and so that means I'm going to use Linux filesystems placeholders

33
00:02:40,220 --> 00:02:42,320
‫to traverse between folders.

34
00:02:43,840 --> 00:02:47,740
‫So first thing to do is print what's inside the current folder.

35
00:02:49,050 --> 00:02:52,800
‫And the application executes the placeholder for the current directory.

36
00:02:54,240 --> 00:02:57,540
‫And look at the documents and folders under the current directory.

37
00:02:59,890 --> 00:03:06,280
‫Right, so we are still in the current directory now, climb up one level using this placeholder.

38
00:03:07,480 --> 00:03:13,510
‫And it works climb up one more level again and climb up one more again.

39
00:03:15,130 --> 00:03:16,860
‫I think we should be in the root directory now.

40
00:03:18,290 --> 00:03:20,960
‫But we can try to climb up one more again.

41
00:03:22,470 --> 00:03:26,070
‫All right, so climbing up is done, so now it's time to traverse.

42
00:03:27,340 --> 00:03:28,510
‫Via the home directory.

43
00:03:29,740 --> 00:03:32,200
‫And these are the user's home directories.

44
00:03:33,570 --> 00:03:35,160
‫So we'll go to B's folder.

45
00:03:37,020 --> 00:03:38,820
‫OK, so go to document.

46
00:03:40,050 --> 00:03:41,580
‫And view the scripts folder.

47
00:03:43,320 --> 00:03:46,710
‫And here are some scripts that run over the system.

48
00:03:47,580 --> 00:03:52,640
‫So in a situation like this, you can view many important files and configurations, right?

49
00:03:53,620 --> 00:04:00,340
‫In past traversal, I generally go to the ETEK directory and show password file.

50
00:04:01,700 --> 00:04:08,510
‫But this vulnerability these days works really only to view the content of the folders and not the files

51
00:04:08,510 --> 00:04:09,200
‫themselves.

52
00:04:10,400 --> 00:04:14,240
‫OK, so anyway, let's change the level now to medium.

53
00:04:15,680 --> 00:04:21,170
‫OK, and put the current folder placeholder to check traversing and of course, we get a warning.

54
00:04:22,210 --> 00:04:23,290
‫We are detected.

55
00:04:24,490 --> 00:04:28,600
‫So let's see if that means that we also cannot climb.

56
00:04:29,150 --> 00:04:31,600
‫OK, so sadly, that's true.

57
00:04:31,810 --> 00:04:36,340
‫Climbing is fun, but what happens if you just drive forward slash?

58
00:04:36,970 --> 00:04:38,470
‫Oh, that works.

59
00:04:39,280 --> 00:04:42,580
‫OK, so it prints the content of the root directory.

60
00:04:44,180 --> 00:04:47,630
‫I think the developer is escaping the dot.

61
00:04:49,230 --> 00:04:51,580
‫So we can check the code later.

62
00:04:52,220 --> 00:04:53,840
‫Right now, let's go to B's folder.

63
00:04:56,020 --> 00:05:02,800
‫And that's nice this way we can traverse between folder's and unless you change the level of high,

64
00:05:03,430 --> 00:05:04,900
‫so delete the current value.

65
00:05:06,100 --> 00:05:11,560
‫An error message appears and hasn't stopped us before, so let's try to climb.

66
00:05:12,550 --> 00:05:13,600
‫And traverse.

67
00:05:16,140 --> 00:05:17,380
‫OK, so that's not working.

68
00:05:18,240 --> 00:05:20,340
‫So now let's go and view the code.

69
00:05:21,400 --> 00:05:28,060
‫So if you directory traversal to page and scroll down to code.

70
00:05:29,210 --> 00:05:32,480
‫So here's a function called Show Directory.

71
00:05:33,570 --> 00:05:35,820
‫And it has a directory parameter.

72
00:05:37,330 --> 00:05:39,400
‫Check and see if the directory exists.

73
00:05:39,940 --> 00:05:41,380
‫The content of that directory.

74
00:05:42,870 --> 00:05:44,760
‫Scroll down a little bit more.

75
00:05:46,340 --> 00:05:51,320
‫And the directory parameter and you are l passes to the show directory function.

76
00:05:52,620 --> 00:06:00,450
‫So the security level's low, show directory function just executes if the level is medium, the parameter

77
00:06:00,450 --> 00:06:05,940
‫we provide from the URL is checked with directory traversal check to function.

78
00:06:07,100 --> 00:06:11,810
‫And for the high level directory traversal, check three is used.

79
00:06:13,790 --> 00:06:18,920
‫All right, so now let's have a look at these two functions that scroll down to the functions that were

80
00:06:18,920 --> 00:06:19,430
‫searching.

81
00:06:20,360 --> 00:06:21,650
‫All right, so here's the last one.

82
00:06:22,940 --> 00:06:26,780
‫That's why we are restricted to Webroot directory only.

83
00:06:28,220 --> 00:06:34,520
‫All right, so now let's go to the other function, and it checks for placeholders that we use to climb

84
00:06:34,520 --> 00:06:35,180
‫and traverse.

85
00:06:36,650 --> 00:06:42,110
‫All right, so you get the idea, you can always analyze a code more line by line by yourself.