Deep Dive into Directory Traversal and File Inclusion Attacks leads to Privilege Escalation

Authors

  • Mrunalsinh Chawda  School of Information Technology, Artificial Intelligence, and Cyber Security, Rashtriya Raksha University, Gandhinagar, Gujarat, India
  • Dr. Priyanka Sharma  School of Information Technology, Artificial Intelligence, and Cyber Security, Rashtriya Raksha University, Gandhinagar, Gujarat, India

DOI:

https://doi.org//10.32628/IJSRSET218384

Keywords:

Cyber Security, Information Security, Web Application Security, Privilege Escalation, Remote Code Execution, Directory Traversal, Vulnerability Analysis, LFI, RFI.

Abstract

In Modern Web application directory traversal vulnerability that can potentially allow an attacker to view arbitrary files and some sensitive files. They can exploit identified vulnerabilities or misconfigurations to obtain root privileges. When building the web application, ensure that some arbitrary file is not publicly available via the production server. when an attacker can include. Traversal vulnerabilities this vulnerability exploits the dynamic file include a mechanism that exists in programming frameworks a local file inclusion happens when uncontrolled user input such as form values or headers for example are used to construct a file include paths. By exploiting directory traversal attacks in web servers, they can do anything and with chaining with code injection they can upload a shell into a web server and perform a website defacement attack. Path-traversal attacks take advantage of vulnerable Website parameters by including a URL reference to remotely hosted malicious code, allowing remote code execution and leads to privilege escalation attack.

References

  1. Michael Flanders. A Simple and Intuitive Algorithm for Preventing Directory Traversal Attacks (August 2019)
  2. Afsana Begum,Md. Maruf Hassan,Touhid Bhuiyan,Md. Hasan Sharif. RFI and SQLi based local file inclusion vulnerabilities in web applications of Bangladesh (Dec. 2016)
  3. Douglas Rocha; Diego Kreutz; Rogério Turchetti.A free and extensible tool to detect vulnerabilities in Web systems (June 2012)
  4. Yunhui Zheng; Xiangyu Zhang. Path sensitive static analysis of web applications for remote code execution vulnerability detection.
  5. Hannes Holm,Teodor Sommestad,Ulrik Franke,Mathias Ekstedt. "Success Rate of Remote Code Execution Attacks Expert Assessments and Observations."
  6. Noertjahyana, Agustinus and Gunawan, Ibnu and Tjahjono, Deddie (2012) Website Application Security Scanner Using Local File Inclusion and Remote File Inclusion
  7. Michal HubczykAdam DomanskiJoanna Domanska . Local and Remote File Inclusion Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 118)
  8. Md. Maruf Hassan, Touhid Bhuiyan, Saikat Biswas.An Investigation of Educational Web Applications in Bangladesh: A Case Study on Local File Disclosure Vulnerability. (November 2016)

International Journal of Scientific Research in Science, Engineering and Technology

Downloads

Published

2021-06-30

Issue

Volume 8, Issue 3, May-June-2021

Section

Research Articles

License

Copyright (c) IJSRSET

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

[1]
Mrunalsinh Chawda, Dr. Priyanka Sharma, " Deep Dive into Directory Traversal and File Inclusion Attacks leads to Privilege Escalation, International Journal of Scientific Research in Science, Engineering and Technology(IJSRSET), Print ISSN : 2395-1990, Online ISSN : 2394-4099, Volume 8, Issue 3, pp.115-120, May-June-2021. Available at doi : https://doi.org/10.32628/IJSRSET218384