info on dir traversal techniques, any?

From: Chan Fook Sheng (chanfooksheng_at_pacific.net.sg)
Date: 05/03/04

  • Next message: Marcelo Lećo Caffaro: "Re: Tools to test web services"
    Date: Mon, 03 May 2004 19:16:32 +0800
    To: pen-test@securityfocus.com
    
    

    Hi

    am doing some security audit for a customer, and i come across a web
    application that accept a GET request with a parameter that I believe is
    a filename on the filesystem of the web server.

    I am trying to get the application to display any files on the
    filesystem. I have ried appending %00 etc.. but to no avail.

    Anyone knows of more techniques to try?

    How can one determine whether a web application is opening files for
    read, hence making it possible for directory traversal attack?

    fs

    ------------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    -------------------------------------------------------------------------------


  • Next message: Marcelo Lećo Caffaro: "Re: Tools to test web services"

    Relevant Pages

    • RE: Removing Local Admin Rights...
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Minimum password requirements
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Betr.: RE: fax software in the domain
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... pen testing experience in our state of the art hacking lab. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • RE: HIPAA_Compliance
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Cisco CSA
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)