Verify path traversal vulnerability in web server

2020-06-08 14:52发布

站内问答 / 移动开发
1992 3 5

I want to verify that my web application does not have a path traversal vulnerability.

I'm trying to use curl for that, like this:

$ curl -v http://www.example.com/directory/../

I would like the HTTP request to be explicitly made to the /directory/../ URL, to test that a specific nginx rule involving proxy is not vulnerable to path traversal. I.e., I would like this HTTP request to be sent:

> GET /directory/../ HTTP/1.1

But curl is rewriting the request as to the / URL, as can be seen in the output:

* Rebuilt URL to: http://www.example.com/
(...)
> GET / HTTP/1.1

Is it possible to use curl for this test, forcing it to pass the exact URL in the request? If not, what would be an appropriate way?

3条回答
混吃等死
2楼-- · 2020-06-08 15:08

You can use an intercepting proxy to capture a request to your application and repeat the request with parameters changed, such as the raw URL that is requested from the application.

The free version of Burp Suite will allow this using the Repeater.

However, there are alternatives that should also allow this such as Zap, WebScarab and Fiddler2.

查看更多
0人赞 添加讨论(0) 举报
孤傲高冷的网名
3楼-- · 2020-06-08 15:12

The curl flag you are looking for is curl --path-as-is .

查看更多
0人赞 添加讨论(0) 举报
欢心
4楼-- · 2020-06-08 15:23

I'm not aware of a way to do it via curl, but you could always use telnet. Try this command:

telnet www.example.com 80

You'll see:

Trying xxx.xxx.xxx.xxx... Connected to www.example.com. Escape character is '^]'.

You now have an open connection to www.example.com. Now just type in your command to fetch the page:

GET /directory/../ HTTP/1.1

And you should see your result. e.g.

HTTP/1.1 400 Bad Request

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)