Module 183 - Implementing application security
Those are my course notes for the module 183 in the modulbaukasten.
Path-Traversal
This term describes the process of reversing a path on a server. An attacker tries to go up in directories until there is something useful. It is also known as "Directory-Traversal" or "File-Path-Traversal".
Example
A website has a path called /loadimage and takes the filename as a parameter:
https://example.com/loadimage?filename=gift.png.
The issue here is, that an attacker could just go up a directory by using ..:
https://example.com/loadimage?filename=../../../etc/passwd
Preventing
To prevent a path-traversal, it is recommended to drop API's that interact directly with os file pathes. If this is unavoidable, validate that the passed parameters (input) consists of only alphanumeric characters or canonicalize the path.
Assignments
Assignment 2
From which directory are the pictures being pulled?
The images are being puulled from http://localhost:3000/eiger.jpg. The http://localhost:3000/ server is the db server.
What HTTP-Request is being used?
A get request to the server/directory: http://localhost:3000/eiger.jpg.
Is it possible to access other files in this directory?
Yes, however those files are already used somewhere else. A path-traversal is not possible because the files are not a path on the os but rather a db entry.
How is the access of ressources (such as pictures) managed with the express-framework?
This is done within the api.js file of the backend. It creates new Mountain objects with the properties that are from the backend:
// load sample mountains
for (const mountain of sampledata.mountains.features) {
await Mountain.create({
id: mountain.properties.id,
name: mountain.properties.name,
image: mountain.properties.img,
elevation: mountain.properties.el,
description: mountain.properties.description,
hasmountainrailway: mountain.properties.mountainrailway,
longitude: mountain.geometry.coordinates[0],
latitude: mountain.geometry.coordinates[1],
});
}