Directory Traversal and Path Manipulation

2 min read Web Security Fundamentals

Directory Traversal and Path Manipulation

Directory traversal vulnerabilities allow attackers to access files outside the intended web root directory. These vulnerabilities often arise from improper input validation or misconfigured alias directives:

Vulnerable Apache configuration example:

# VULNERABLE - DO NOT USE
<Directory /var/www/html>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

Alias /docs /usr/share/doc
<Directory /usr/share/doc>
    Options Indexes FollowSymLinks
    Require all granted
</Directory>

Secure Apache configuration:

# Secure configuration
<Directory /var/www/html>
    Options -Indexes -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
    
    # Prevent directory traversal
    <FilesMatch "^\.ht">
        Require all denied
    </FilesMatch>
</Directory>

# Secure alias configuration
Alias /docs /usr/share/doc
<Directory /usr/share/doc>
    Options -Indexes
    Require all granted
    
    # Restrict access to specific files
    <FilesMatch "\.(conf|log|sh|sql|bak)$">
        Require all denied
    </FilesMatch>
</Directory>

# Global security settings
<Directory />
    Options None
    AllowOverride None
    Require all denied
</Directory>

Nginx prevention measures:

# Secure Nginx configuration
server {
    # Disable autoindex globally
    autoindex off;
    
    # Restrict access to hidden files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
        return 404;
    }
    
    # Block access to backup files
    location ~ \.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)$ {
        deny all;
        access_log off;
        log_not_found off;
        return 404;
    }
    
    # Prevent directory traversal in specific locations
    location /downloads {
        # Sanitize the path
        if ($request_uri ~ "\.\.") {
            return 403;
        }
        
        # Use try_files to ensure file exists
        try_files $uri =404;
        
        # Serve files from specific directory only
        root /var/www/downloads;
        
        # Additional security headers
        add_header X-Content-Type-Options "nosniff" always;
        add_header Content-Disposition "attachment" always;
    }
    
    # Secure alias usage
    location /docs/ {
        alias /usr/share/doc/;
        
        # Ensure the request doesn't escape the alias
        if ($request_filename ~ \.\.) {
            return 403;
        }
        
        # Only allow specific file types
        location ~ \.(txt|pdf|html)$ {
            # File is allowed
        }
        
        location ~ . {
            return 403;
        }
    }
}