Path Manipulation and interesting JAVA code
Directory Traversal (CWE: 22) is usually considered as a subset of Path Manipulation (CWE: 73).
Very often, when I give lectures about application security, I start with a path manipulation example.
I found that it is easy for developers to understand the risk posed by this attack, but it’s relatively complicated to avoid it correctly, so it gives a great background for discussing more complicated attacks.
Usually I begin with a short “hacking game” showing the following VB (6) example (assuming that the Filename and Ext variables are considered as user input)
if (ext <> “exe”) then
Open filename & “.” & ext for output as #1
print #1, “^ CxThoughts blog”
close
else
msgbox (”WOW! I found a hacker!”)
end if
Then I ask the students to fix the code so the following rules will apply:
1. The user should be able to create ANY type of file everywhere she wants, with the content “^ CxThoughts blog”.
2. Only .exe extension is forbidden, and an appropriate message should appear in case of hacking attempt.
Seems simple, ah?
Try to do it yourself, then try to break in, then fix, then break in again… it is not as easy as it first looks.
My guess is that it will be possible to hack into any of your solutions…
I am looking forward to read your comments
——————-
Recently I have encountered the following Java code, which should receive a full path name, and return only the filename (e.g. getFilename(”C:\try\temp.txt”) = temp.txt)
What do you think?
private String getFilename(String filepath)
{
String filename = filepath.trim();
int index = filepath.lastIndexOf(File.separator);
if (index > -1)
{
filename = filepath.substring(index);
}
return filename;
}
