Path Sanitation Bypass
A Path Sanitation Bypass attack allows an attacker to access a file by requesting a relative filepath (i.e. using
.. ) and bypassing an access control scheme that fails to properly account for input of this type. Note that "accessing a file" is not restricted to reading the contents of that file. Some
path-byp attacks might instead provide a path which forces the program itself to read or execute a file to the advantage of the attacker.
This vulnerability is potentially present anytime a program treats user input as a file path (or part of a file path).
All the severity categories can be achieved using this attack. If the vulnerable program returns a file to the user based on some file path input, then the attack is likely data exfiltration. If the vulnerable program reads or executes the some file based on user input, then the attack may result in arbitrary code execution.
Defending against Path Sanitization Bypass attacks requires proper path sanitization. Exactly what this means is highly context dependent. There are some universal strategies that are often useful:
- resolve relative paths to absolute paths before applying access control logic.
- Keep a safelist of files that the program can access and reject requests to access all other files (this is a very conservative strategy that may be infeasible in many context)
Tips for Demonstration
To demonstrate a Path Sanitization Bypass attack you should:
Identify the vulnerable program
Provide the input that results in an attack
Explain why the path sanitization you are bypassing fails to prevent your attack
Show the result of your attack and categorize its impact