I asked a question on this very site - Unable to understand why the web app is vulnerable to a Directory traversal attack , where i was given a report stating my web-app was vulnerable.
I posted few samples from the report, like Testing Path: http://127.0.0.1:80/??/etc/issue <- VULNERABLE!
, now i was asked what those two /??
are in the posted url.
I ran few tests:
http://127.0.0.1:80/??/etc/issue
returns Home page.
http://127.0.0.1:80/.?/etc/issue
returns Home page.
http://127.0.0.1:80/?./etc/issue
returns Home page.
So, the pattern below returns home page:
http://127.0.0.1:80/Position1Position2Anything/Anythingcouldbehere
, where
If Position1
= ?
, home page is returned irrespective of the contents at Position2
.
If Position1
= .
then Position2
must be ?
, for the home page.
Anything
could be an empty string too.
Now, anything which doesn't match the pattern above returns 400/404.
And, i ran the above test for security.stackexchange.com/
and it too returned the same result (followed the same pattern of .
and ?
) and returned its Home page on the browser.
Please explain the role of ?
and .
in the urls.
EDIT:
It's only this pattern(the one above, with ?
and .
) which makes the web-app Vulnerable to Directory Traversal attack as per the report sent by pen-testers.