38 questions
0
votes
1
answer
70
views
Does flask dev server normalize paths?
I was playing a CTF which was about path traversal. The server code was like below:
import flask
import os
app = flask.Flask(__name__)
@app.route("/docs/<path:path>", methods=["...
0
votes
1
answer
93
views
Deleting files based on input to avoid accessing parent folders
I am doing a REST API in Java (although this question may apply to other languages) where I create several local files and directories, and they can be deleted based on input. I manage my files in a ...
1
vote
0
answers
134
views
How to prevent path traversal?
I recently found a path traversal vulnerability in my NestJS application.
I had a download middle-ware that would take the filename from the URL:
async use(req: Request, res: Response) {
const ...
-4
votes
1
answer
192
views
Is there a way to prevent directory traversal attacks (../ pattern) at the JRE level? [closed]
I'm looking for a way to prevent directory traversal attacks, specifically those involving the ../ pattern in file paths, at the Java Runtime Environment (JRE) level. My goal is to ensure that such ...
1
vote
0
answers
657
views
Path Traversal vulnerability for a file object
I'm trying to fix Path Traversal Vulnerability raised by Gitlab SAST in the Java Source code. There is a scenario where I am creating a file object by passing in an Input string. Then creating a file ...
0
votes
0
answers
347
views
Path Traversal Issue Fix in Nodejs
Below is the image consist of lines of code that represents uploading a file(s) in nodejs (koa framework). It is working fine. But one vulnerability arises from the line
"const readStream = fs....
1
vote
1
answer
4k
views
Path traversal vulnerability
The concept of path traversal is new to me. I would like some guidance please.
In my project I have following line of code:
uploadimg.SaveAs(Server.MapPath("tempfiles/" + fUIName));
...
1
vote
0
answers
2k
views
Validate String in Java To Avoid Path Traversal
I have a system where user can upload file. I want to throw an exception in case the filename is contains sensitive characters like "../", etc. (to avoid Path Traversal vulnerability: "...
0
votes
1
answer
98
views
Traverse an object of arrays, for a nested form
I have a dynamic form, that is nested, the form is to describe an overhead gantry crane.
so the structure looks like this:
let equipmentInfo = {
bridges:[{
trolleys:[{
hoists:[{
...
0
votes
1
answer
4k
views
checkmarx stored absolute path traversal
We are trying to fix some issue reported by checkmarx, I have to say Stored xxx serial issue are hard to find a solution.
About this one, We have following code
PreparedStatement ps = conn....
0
votes
1
answer
103
views
Openstack path traversal guidelines docs has a broken example. What went wrong?
https://security.openstack.org/guidelines/dg_using-file-paths.html
If I try to run the given code from the above link:
import os
def is_safe_path(basedir, path, follow_symlinks=True):
# resolves ...
3
votes
1
answer
10k
views
A Path Traversal vulnerability in asp.net core
I already tried these solutions
Does my code prevent directory traversal in C#?
Is Path Traversal Vulnerabilities possible in my below code?
How to prevent Path Traversal in .NET
How to avoid ...
1
vote
1
answer
889
views
ASP.NET - Path Traversel exploit when downloading a File
How could I solve this problem in that code. I've tried some approaches, but I couldn't pass the checkmarx test (system used to perform the scan)
FinalUploadFolder comes from the WebConfig file, which ...
5
votes
2
answers
15k
views
Input_Path_Not_Canonicalized - PathTravesal Vulnerability in checkmarx
I am facing path traversal vulnerability while analyzing code through checkmarx. I am fetching path with below code:
String path = System.getenv(variableName);
and "path" variable value is ...
3
votes
1
answer
6k
views
How to deal with Path Traversal?
I'm trying to understand how to deal(in a secure way) with Path Traversal.
For example an application receives from a client a file name via REST API in JSON, look for it in the non-accessible(by ...
2
votes
2
answers
8k
views
How can I perform a path traversal attack on this service hosted in IIS?
Background
I am attempting to perform a path traversal attack on a vulnerable service hosted in IIS.
The service is something like this:
GET /api/download/{file-name}
The underlying code is something ...
0
votes
1
answer
158
views
Given the cordinates of rectangles, connect them to make path from start to end
There are lot of rectangles ; each one will have lower left and upper right co-ordinates.
And they are either overlapping (fully or partially ) or touching at-least one edge with other one.
Am looking ...
0
votes
0
answers
2k
views
Fixing Path_traversel when downloading a file
How to fix this code so that it does not accuse this type of vulnerability?
I'm using checkmarx to scan, and he encountered this problem when downloading a file
Error reported by checkmarx:
Method ...
1
vote
1
answer
1k
views
Does Azure storage allow path traversal?
Security-wise, if I receive parts of the path from the user, do I need to sanitize them?
Oversimplified example (in Python):
from azure.storage.blob import BlobServiceClient
client = BlobServiceClient....
-4
votes
1
answer
303
views
Prevent users to download other files by changing the path in a url query
i have a download function receiving the filename by $_GET and i want to prevent users of downloading other files changing the path and accessing other files in the system.
method:
function ...
1
vote
1
answer
75
views
Having issues with Djikstra's algorithm
Trying to implement Dijkstra's via the instructions in this article:
https://medium.com/@adriennetjohnson/a-walkthrough-of-dijkstras-algorithm-in-javascript-e94b74192026
My repl below:
https://repl.it/...
0
votes
0
answers
252
views
Testing against directory traversal
I was reading about testing against directory traversal on this website: https://wiki.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
And at the end it says
Testing ...
2
votes
1
answer
4k
views
Path traversal with python request
recently I wanted to automate an attack for a web app that is prone to path traversal attacks (NVMS1000) via python requests module.
The request works perfectly with curl by using the option path-as-...
1
vote
1
answer
1k
views
Java webapp code returning with a path traversal problem when tested in a bot
So I have been given the task of fixing a path traversal problem in a basic Java web app, but I am quite stuck. We are meant to essentially make sure the code is secure, while maintaining ...
0
votes
1
answer
177
views
Processmaker 3.* Path Traversal Issue
I have Processmaker 3.1.3 running into an RHEL-7 server. But recently I found that the server is vulnerable by path traversal attack. The entire application is running through the file App.php into ...
0
votes
3
answers
504
views
How to traverse directories a path consists of in BASH
I'm about to program a file parser which is operating in a directory tree structure. Once I find a specific leaf directory I want to go through all directories which the path consists of and do some ...
0
votes
0
answers
501
views
How to stop Google Chrome from removing ../ from the requested URL?
I'm testing if my application is prone to path traversal attacks, but when browsing to localhost/browser/../123/456.txt Chrome automatically converts the URL to localhost/browser/123/456.txt. How can ...
3
votes
2
answers
1k
views
How do I fix SCS0018?
Security Scan SCS0018 Warnings in Visual Studio are shown during the build. Currently, I am working on these warnings to get removed. I tried several MSDN sites but no luck. I have also read OWSAP but ...
0
votes
1
answer
5k
views
How to fix aspx?Dir=http://externalwebsite.com IIS 8.5 vulnerability
I work with developing and pre-production IIS servers to publish and test the web applications we develop. Some Ethical Hacking consultant came and warned us about a vulnerability they found in some ...
0
votes
1
answer
2k
views
ZAP seems to incorrectly report path traversal vulnerability in Angular app
I'm running OWASP ZAP as part of an automated CI/CD process. I am doing a spider and active scan. The report showed that there is a Path Traversal error.
First, this is an Angular 2 site so there ...
0
votes
1
answer
2k
views
Is path traversal possible using Javas File constructor?
I'm building a webservice where users can upload zipfiles that get unzipped and saved to our server.
I created the following function to open a file in a specified path:
private File ...
0
votes
1
answer
1k
views
Getting a path traversal flag in Zap OWASP, but parameters are perfectly valid
A penetration test using OWASP Zap is finding a number of Path Traversal 'vulnerabilities' but either the report isn't telling me the whole story, or they seem perfectly safe to me. Eg:
URL: http://[...
0
votes
2
answers
856
views
IBM AppScan Security PathTraversal issue in File.Copy method in VB.Net
I ran IBM AppScan tool on a VB.Net source.I am getting one security issue in File.Copy method under Path Traversal category.
Issue Detail -
Vulnerability Type - PathTraversal
This API accepts a ...
0
votes
1
answer
2k
views
ZAP reports there's a path traversal vulnerability. How it found it?
I was testing a web application with ZAP and it reports a path traversal vulnerability. I understand it how it works (at least, I think so), so I reviewed the code, tested the URLs, but I could not ...
22
votes
2
answers
18k
views
Filtering upwards path traversal in Java (or Scala) [closed]
Are there any standard library methods that can filter out paths which include special traversal sequences, such as ../ and all other convoluted forms of upwards directory traversal, to safeguard a ...
1
vote
2
answers
2k
views
Pass sonar's PT_RELATIVE_PATH_TRAVERSAL in java
I've got two issues sonar is sad about. First one in a line of code with relative path traversal issue which looks like this:
File f = new File(MY_DIR + filename);
Where filename is a parameter I'...
1
vote
1
answer
349
views
Nested PathTransitions in JavaFX
I am trying to get my node to travel along the path of a circle, and at the same time have THAT circle travel along the path of a rectangle. Is it possible?
This is what I have so far:
void move(...
51
votes
3
answers
63k
views
What's the best way to defend against a path traversal attack?
I have a Java server implementation (TFTP if it matters to you) and I'd like to ensure that it's not susceptible to path traversal attacks allowing access to files and locations that shouldn't be ...