Objective: To identify and verify directory traversal vulnerabilities that allow unauthorized access to sensitive system files.

1. The Vulnerability: Path Traversal (CWE-22)

The web application was found to be vulnerable to Path Traversal (also known as Directory Traversal) because it failed to properly sanitize user-supplied input used to reference files on the server. This flaw allows an attacker to use special characters, such as ../, to break out of the intended web root directory and access restricted files or directories elsewhere on the file system.

2. Technical Execution: Resource Interrogation

I utilized OWASP ZAP to identify parameters susceptible to path manipulation. By injecting traversal sequences into the column parameter of the target URL, I observed the application’s response to determine if it would disclose file paths or system-level error messages.

ComponentValuePurpose
Vulnerable ParametercolumnThe input vector used for path manipulation.
Risk LevelHighPotential for full system file disclosure.
Detection MethodActive ScanningAutomated probing of parameters for traversal flaws.
ToolOWASP ZAPFacilitates the identification of insecure file referencing.

3. Execution Workflow

  1. Automated Reconnaissance: Initiated an Active Scan within OWASP ZAP to systematically test the application’s URL parameters for traversal vulnerabilities.
  2. Alert Analysis: Flagged a “Path Traversal” alert which indicated that the application was improperly handling input in the column parameter.
  3. Payload Verification: Analyzed the attack vector to confirm that the technique could potentially reach directories residing outside the web primary folder.
  4. Context Evaluation: Noted the request URLs and parameters where the vulnerabilities were flagged to determine the scope of the exposure.

4. Key Commands

# Example of a traversal payload identified during the scan
# This attempts to move up the directory tree to reach system files
../../../../etc/passwd

# The targeted URL identified by ZAP
http://localhost:8080/WebGoat/SqlInjectionMitigations/servers?column=..%2F..%2F

5. Evidence of Work

RESOURCES_NODE_01
Discovery
Caption: Identification of the Path Traversal alert and the vulnerable parameter in OWASP ZAP.

RESOURCES_NODE_01
Results
Caption: Results/Impact phase showing the technical description of the attack and the input vector (URL Query String) identified by the tool.

6. Professional Impact

This project highlights a critical risk to Data Confidentiality and System Integrity, as an attacker could potentially read sensitive configuration files or credentials stored on the server. To remediate this, I recommended that the application validate user input against a known “allow-list” of expected values rather than relying on sanitizing malicious sequences. Furthermore, I advised ensuring that the application process runs with the least privilege necessary to prevent access to sensitive operating system files.