This type of attack forces access to files, directories, and commands that are located outside the web document root directory or CGI root directory.
An attacker can exploit a URL in a way that the web site executes or discloses contents of files on the web server. Even though most web sites restrict user access to the web document root or CGI root directory, an attacker can gain access to these directories by using special character sequences.
Signature name | Description | More information |
---|---|---|
HTTP_Apache_SlashSlash | Detects an HTTP GET followed by a double slash. | IBM® X-Force®: Apache GET request directory traversal |
HTTP_DotDot | Detects web requests containing one or more /../ sequences
that attempt to navigate above the top of the web directory hierarchy. This is often an attempt to bypass the normal security imposed by the web server and access normally restricted files. |
IBM X-Force: HTTP "dot dot" sequences |
HTTP_DotDotDot | Detects web requests containing a /... sequence. | IBM X-Force: HTTP request contains "dot dot dot" in the URL |
HTTP_GET_DotDot_Data | Detects HTTP GET requests that contain ../../../.. in the data. | IBM X-Force: HTTP "dot dot" sequences |
HTTP_GET_Dotdotdot_Data | Detects HTTP GET requests that contain /... in the data. | IBM X-Force: HTTP GET request contains "dot dot dot" |
HTTP_Perl_Example_Code | Detects web requests containing one or more ../.. sequences that attempt to navigate above the top of the web directory hierarchy and execute an ActiveState Perl program. | IBM X-Force: Microsoft Internet Information Server (IIS) ActivePerl command execution |
HTTP_PhpRocket_Traversal | Detects an HTTP URL which has a query string containing a page= parameter and whose argument contains a directory traversal (../..). | IBM X-Force: PHP Rocket Add-in for FrontPage "dot dot" directory traversal |
HTTP_POST_dotdot_data | Detects a POST command with argument data that contains (../../). | IBM X-Force: HTTP POST data contains dot dot path |
HTTP_POST_dotdotdot_data | Detects HTTP POSTS that contain (/...). | IBM X-Force: HTTP POST dot dot dot directory traversal |
HTTP_POST_JBoss_Traversal | Detects a POST to the JBoss DeploymentFileRepository service object that is attempting to traverse the directory structure. | IBM X-Force: JBoss Application Server DeploymentFileRepository directory traversal |
HTTP_Sunone_Viewlog | Checks for a specially-crafted URL designed to traverse directories and view files. | IBM X-Force: Sun ONE Directory Server ViewLog function directory traversal |
HTTP_URL_BackslashDotDot | Searches for backslash-dot-dot-backslash encoded as hexadecimal in the raw URL (%5c%2e%2e%5c). | IBM X-Force: Apache HTTP Server non-Unix version URL encoded directory traversal |
HTTP_URL_dotpath | Detects web requests that contain a /./ sequence. This might indicate an attacker's attempt to evade an intrusion detection system. | IBM X-Force: HTTP URL contains /./ (slash dot slash) |
HTTP_URL_Repeated_Dot | Detects URLs with repeated . (period or dot) characters. | IBM X-Force: Microsoft IIS malformed URL extension data denial of service |