                             
			                             
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
              Outbreak Magazine Issue #11 - Article 9 of 18
           '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'


Basic Directory Transversal

By:  StankDawg@hotmail.com

http://www.StankDawg.com/


When digging into a system it is always smart to look for obvious lack of 
security instead of looking at holes within the security.  In other words, 
if you want to poke around a system, look for the obvious, visible openings 
before engaging in actually attacking the security of the system.  I look at 
this as being given access instead of gaining unauthorized access, which 
legally, is a big difference.  Now I am not a lawyer, but these are two 
completely different things in my mind.

Basic directory transversal involves seeing what directories are publicly 
accessible without "breaking into" anything.  More advanced forms of directory 
transversal involve using these basic principles to slide through security by
using things like "/../" and hex codes to try and fool the software into 
allowing you access to directories that were not intended to be accessible.  
But lets stick to the basics for now.  For example, depending on the type of
web server running, you are probably familiar with the fact that there is a 
specific default directory structure that usually contains at least one 
subfolder called "images."  No HTML is usually stored in this directory, but 
there are images there.  If the privileges are not set up properly, you can 
browse to the images directory and see all of the files contains within.

Take this one step further and see what other directories you can get into.  
You might find directories called "content," "templates," "members," or 
pretty much anything.  Each one of these folders should be locked down to 
prevent unauthorized access.  The sad reality is that they are not.  During 
your normal browsing of a site, or your intentional targeting of a site, 
notice the directory structure of the site.  Notice that you may suddenly 
jump two directories deep.  You may click on a link from the main page to a 
page located at "../content/articles/page1.html."  Notice that you are 
entirely bypassing a directory.  It is usually these directories that are 
nsecured.  Either the administrators are too lazy to lock that directory 
down, or they dont even realize that it is publicly accessible.  Even though 
there is no link to it, simply navigate to that directory and see if there 
is anything there.  You may be surprised at what you find.

From this point, you should look for a pattern.  Is everything else also 
stored in subdirectories beneath the "content" directory?  If it is open, 
you will see the list of files and subdirectories.  They may not be listed 
on the home page, or linked to from any other page on the entire site.  
They may be pages that are under construction, or pages that have been 
removed for one reason or another (when I say removed, I mean that the links 
were removed, but obviously the pages may still exist).  Sometimes you may 
find "objectionable content" that was removed by request.  Frequently you 
will find the new updated home page in a subdirectory just waiting to be 
moved into the root directory.  The really fun stuff is finding a "secret" 
page that some 31337 h4x0r has "hidden" on his site that only friends are 
supposed to know about, or a page that is under construction and was not 
intended to be available yet.  I have, on many occasions, had accounts 
removed for turning in a prize claim or contest entry before the page has 
been released!

There is a lot that you can do to find the directory structure of the site, 
and I will leave that for a future article if there is interest.  I find this 
style of hacking particularly interesting because it sits in that "grey area" 
between publicly available and "breaking-and-entering."  Again, I do not know 
the law, but I am sure it sides with the companies who own the sites.  If we 
access a page or a directory that is publicly accessible or available (as long 
as you know where to look) could we (and should we) be prosecuted?  Were any 
laws technically or even ethically broken?  Is this entrapment?  Or are we 
just giving lazy incompetent administrators free run to perpetuate insufficient 
security by their own lack of ability?  I think that if something is so 
important that you dont want it out on the internet, then dont put it on a 
server without adequate protection.  If you do, I think you as an administrator 
should be held responsible.  Isnt it hypocrisy to punish hackers for accessing 
a file yet not punishing the host for releasing the file?  They should be held 
accountable for their mistakes instead of blaming the hackers.  If we have the 
potential to go to jail, so should they.
