4

I've recently come across this blog post of a bug bounty hunter.

Apparently, a path traversal vulnerability was discovered, which looked like this:

 http://help.example.com/@app/skin/views/%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd.html

I've never come across such a format for a path traversal.

How does this work and what is the purpose of the URL encoded backslash in %5c..?

Breakfast Serial
  • 85
  • 1
  • 1
  • 6

1 Answers1

7

"%5c" (encoded backslash) is commonly used to circumvent sanitisation of the "../" (forward slash) in a URL - tries to stop directory transversal via the URL. As you can't have a backslash in a URL it needs to be encoded.

So if the forwardslash is blocked the backslash may work - allowing the attack.

I've seen this more often on IIS attacks rather than Linux/Unix servers.

ISMSDEV
  • 3,272
  • 12
  • 22
  • 1
    So this is basically a circumvention of `../` filtering? – Breakfast Serial Jun 28 '17 at 05:52
  • 1
    Yes. Another way of trying to move up a directory. If forward slash is stripped then make use of the backslash as most basic protection methods block ../ – ISMSDEV Jun 28 '17 at 05:53
  • 1
    @BreakfastSerial Yes, I suspect an attempted bypass of `../` filtering. However, from its position, the (URI-encoded) backslash (`0x5c`) is more likely to be "protecting" the first of the dots (`.`) following it than the forward slash. Although it may work on some sites, the fact that `../` is still present "in plain text" suggests it won't be very effective against sites that have _some_ protection. A better attack might be `.../.%5c./.%5c./...` -- i.e. putting the backslash _between_ the two dots so `../` is no longer _directly_ visible. – TripeHound Jun 28 '17 at 11:11
  • can such attacks be prevented by mvc patterned web framework like laravel, spring – sam Apr 25 '18 at 12:29