Directory Traversal

Posted on November 4, 2012. Filed under: java/j2EE |


The following Servlet intend to have a user supply the file name, then it displays content of that file.

The normal request will be:

http://localhost:8080/test-app/antiDirectoryTraversal?filename=message.txt

ATTACK

Since the files is in directory “WebContent/pubfolder/”, an attacker can send a request like the following, and is able to view files outside folder “pubfolder”:

http://localhost:8080/test-app/antiDirectoryTraversal?filename=../index.html

— antiDirectoryTraversal.java —


package testPackage;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.*;
import java.io.*;
import javax.servlet.*;
@WebServlet("/antiDirectoryTraversal")
public class antiDirectoryTraversal extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
String filename = request.getParameter("filename");
ServletContext context = getServletContext();
//assume you have created a folder "pubfolder" under WebContent directory.
InputStream inp = context.getResourceAsStream("/pubfolder/"+filename);
if (inp != null) {
InputStreamReader isr = new InputStreamReader(inp);
BufferedReader reader = new BufferedReader(isr);
PrintWriter out = response.getWriter();
out.println("<html><head><title>Read Text File</title></head><body>");
out.println("filename="+filename+"<br><br>");
String text = "";
while ((text = reader.readLine()) != null) {
out.println(text+"<br><br>");
}
out.println("</body></html>");
}
}
}

DEFENSE

We can use ESAPI.validator to check validate the file name, and prevent directory Traversal in the following code.
There are some setup for ESAPI.validator to work.
  • You need to copy all the jar files ESAPI-1.4.4.jar depends on to your WEB-INF/lib.
  • You need to create a directory “.esapi” under src, then copy ESAPI.properties to that directory.
— antiDirectoryTraversal.java —
package testPackage;

import javax.servlet.annotation.WebServlet;
import javax.servlet.http.*;
import java.io.*;
import javax.servlet.*;
import org.owasp.esapi.*;

@WebServlet("/antiDirectoryTraversal")
public class antiDirectoryTraversal extends HttpServlet {
 private static final long serialVersionUID = 1L;
 protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
 response.setContentType("text/html");
 String filename = request.getParameter("filename");
 if(!ESAPI.validator().isValidFileName(getServletName(), filename, false)){
 response.sendError(HttpServletResponse.SC_FORBIDDEN);
 return;
 }
 ServletContext context = getServletContext();
 //assume you have created a folder "pubfolder" under WebContent directory.
 InputStream inp = context.getResourceAsStream("/pubfolder/"+filename);
 if (inp != null) {
 InputStreamReader isr = new InputStreamReader(inp);
 BufferedReader reader = new BufferedReader(isr);
 PrintWriter out = response.getWriter();
 out.println("<html><head><title>Read Text File</title></head><body>");
 out.println("filename="+filename+"<br><br>");
 String text = "";
 while ((text = reader.readLine()) != null) {
 out.println(text+"<br><br>");
 }
 out.println("</body></html>");
 }
 }
}
Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: