5

I asked a question on this very site - Unable to understand why the web app is vulnerable to a Directory traversal attack , where i was given a report stating my web-app was vulnerable.
I posted few samples from the report, like Testing Path: http://127.0.0.1:80/??/etc/issue <- VULNERABLE!, now i was asked what those two /?? are in the posted url.

I ran few tests:
http://127.0.0.1:80/??/etc/issue returns Home page.
http://127.0.0.1:80/.?/etc/issue returns Home page.
http://127.0.0.1:80/?./etc/issue returns Home page.

So, the pattern below returns home page:
http://127.0.0.1:80/Position1Position2Anything/Anythingcouldbehere , where
If Position1 = ? , home page is returned irrespective of the contents at Position2.

If Position1 = . then Position2 must be ?, for the home page.
Anything could be an empty string too.

Now, anything which doesn't match the pattern above returns 400/404.
And, i ran the above test for security.stackexchange.com/ and it too returned the same result (followed the same pattern of . and ? ) and returned its Home page on the browser.

Please explain the role of ? and . in the urls.

EDIT:
It's only this pattern(the one above, with ? and .) which makes the web-app Vulnerable to Directory Traversal attack as per the report sent by pen-testers.

Batman
  • 845
  • 1
  • 8
  • 13
  • 1
    I totally missed seeing that `/.?` is getting converted into `/?` , and `/?` being a legal query string is returning the home-page. I guess, i have the answer now. I have no idea as to how could i close a question, so if someone can do it - please close/delete this question. – Batman Sep 08 '16 at 14:01
  • When visiting this page you should have a delete button just under the question text before the comments. Just click that. – Jonah Benton Sep 08 '16 at 14:29
  • 3
    I don't think you should delete the question, just because you found the answer yourself. Two upvotes show that two users found the question interesting. You should answer your own question and add details/links about Browsers handling path traversals `./..` and the query string, because in the future other users may have the same problem and your answer will help them! – Falco Sep 08 '16 at 15:40
  • Perhaps the `?` is actually another special character that your reporting tool can't display. Perhaps it's some kind of unicode `.` character that the backend replaces with an ASCII `.`. – CodesInChaos Sep 08 '16 at 17:44
  • 2
    Possible duplicate of [Unable to understand why the web app is vulnerable to a Directory traversal attack](http://security.stackexchange.com/questions/136116/unable-to-understand-why-the-web-app-is-vulnerable-to-a-directory-traversal-atta) – CodesInChaos Sep 08 '16 at 17:46
  • 1
    @CodesInChaos This question is a follow up question to Batman's previous question. – Uyghur Lives Matter Sep 08 '16 at 18:28

1 Answers1

3

In HTTP URL's everything after the symbol ? is a part of GET request data.

  • So In http://127.0.0.1:80/??/etc/issue and http://127.0.0.1:80/.?/etc/issue the part ?/etc/issue is essentially a data in GET request to URL http://127.0.0.1:80/.

Note here that ?/etc/issue is not a valid file path.

  • In http://127.0.0.1:80/?./etc/issue the part ./etc/issue is essentially the data in GET request to URL http://127.0.0.1:80/.

Note Here that ./etc/issue is a valid path. (may be ./etc/passwd is better)

In last case,since the scanner got a (HTTP/1.1 200) it assumed that it has read the file on server and marked it as vulnerable.

The scanner is expecting something like a HTTP/1.1 404 (Not Found) or HTTP/1.1 302 ( URL redirection) for that page to be not vulnerable.

Sravan
  • 1,158
  • 5
  • 14
  • 2
    it's actually safer to serve up the home page for non-existing and blocked urls than reveal the structure. – dandavis Sep 08 '16 at 19:14
  • 1
    Nice, that helped. – Batman Sep 10 '16 at 14:47
  • 2
    This is a false positive finding from dotdotpwn, the ? Should be URL encoded, but there isn't a neat way to do that currently and I haven't taken the time to introduce a way to solve it. The current work around is to use the command line switches to specify a known file and keyword to match from that file. This way it will only trigger if the actual file content is returned by the url. In my experience pentesters will manually validate findings and proceed to pillage files if a traversal flaw is found. – wireghoul Sep 11 '16 at 12:22
  • @wireghoul:Thanks for the detailed response. Just asking, couldn't we just introduce an identifier in our web-app (while testing), say in the `` so that we could easily & quickly strike-out those vulnerable lines which contain the identifier while leaving other real vulnerable lines in the report. Basing this comment on the fact that `?` usually returns pages from the web-app only. – Batman Sep 14 '16 at 18:02