Path traversal attacks force access to files, directories, and commands that are located outside the web document root directory or CGI root directory.
An attacker can exploit a URL in a way that the website executes or discloses contents of files on the web server. Even though most websites restrict user access to the web document root or CGI root directory, an attacker can gain access to these directories by using special character sequences.
Signature name | Description | More information |
---|---|---|
HTTP_Apache_SlashSlash | Detects an HTTP GET followed by a double slash. | IBM® X-Force®: Apache GET request directory traversal |
HTTP_DotDot | Detects web requests that contain one or more /../ sequences
that attempt to navigate above the top of the web directory hierarchy. This attempt often bypasses the normal security that is imposed by the web server to access files that are normally restricted. |
IBM X-Force: HTTP "dot dot" sequences |
HTTP_DotDotDot | Detects web requests that contain a /... sequence. | IBM X-Force: HTTP request contains "dot dot dot" in the URL |
HTTP_GET_DotDot_Data | Detects HTTP GET requests that contain ../../../.. in the data. | IBM X-Force: HTTP "dot dot" sequences |
HTTP_GET_Dotdotdot_Data | Detects HTTP GET requests that contain /... in the data. | IBM X-Force: HTTP GET request contains "dot dot dot" |
HTTP_Perl_Example_Code | Detects web requests that contain one or more ../.. sequences that attempt to navigate above the top of the web directory hierarchy and execute an ActiveState Perl program. | IBM X-Force: Microsoft Internet Information Server (IIS) ActivePerl command execution |
HTTP_PhpRocket_Traversal | Detects an HTTP URL which has a query string that contain a page= parameter and whose argument contains a directory traversal (../..). | IBM X-Force: PHP Rocket Add-in for FrontPage "dot dot" directory traversal |
HTTP_POST_dotdot_data | Detects a POST command with argument data that contains (../../). | IBM X-Force: HTTP POST data contains dot dot path |
HTTP_POST_dotdotdot_data | Detects HTTP POSTS that contain (/...). | IBM X-Force: HTTP POST dot dot dot directory traversal |
HTTP_POST_JBoss_Traversal | Detects a POST to the JBoss DeploymentFileRepository service object that is attempting to traverse the directory structure. | IBM X-Force: JBoss Application Server DeploymentFileRepository directory traversal |
HTTP_Sunone_Viewlog | Checks for a specially crafted URL designed to traverse directories and view files. | IBM X-Force: Sun ONE Directory Server ViewLog function directory traversal |
HTTP_URL_BackslashDotDot | Searches for backslash-dot-dot-backslash encoded as hexadecimal in the raw URL (%5c%2e%2e%5c). | IBM X-Force: Apache HTTP Server non-Unix version URL encoded directory traversal |
HTTP_URL_dotpath | Detects web requests that contain a /./ sequence. This attack might indicate an attacker's attempt to evade an intrusion detection system. | IBM X-Force: HTTP URL contains /./ (slash dot slash) |
HTTP_URL_Repeated_Dot | Detects URLs with repeated . (period or dot) characters. | IBM X-Force: Microsoft IIS malformed URL extension data denial of service |