Imperva Cyber Community

 View Only
  • 1.  Directory traversal attempts not blocked

    Posted 10-18-2022 03:00
      |   view attached
    Dear all,

    Recently we find from our web server access log indicating that the attached directory traversal attempts had not been blocked by the WAF.

    Our WAF gateway is deployed in bridge mode and we see "Connections using unsupported ciphers" error in the Setup > Gateways screen. However, we are not able to find SSL Untraceable Connection alert(s) at the time stamps when the directory traversal requests were sending to the web server. So, I'm not sure if the attempts beeing not blocked is really due to the unsupported cipher issue. Any advice or suggestion?

    Thank you.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Ken Chau
    IT Manager
    ------------------------------


  • 2.  RE: Directory traversal attempts not blocked

    Posted 10-18-2022 05:39
    Hello Ken,

    Thank you for your post, hope the service group is in active mode for blocking and second in some cases Directory Traversal attacks are not blocked.



    If this HTTP GET request is sent from a non-browser application, and the URL string is not altered, then the WAF triggers an Alert.
    Similar attacks which are blocked
    When the attacker sends a URI encoded directory traversal such as http://my.website.com/..%2f , the browser doesn't convert it and the Web server receives the attack. In this case, the WAF decodes the request and triggers the URL Traversal policies. This specific example triggers the alert: URL is Above Root Directory.


    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 3.  RE: Directory traversal attempts not blocked

    Posted 10-18-2022 06:07
    Hi Syed,

    Thanks for your reply.

    Our sever group is in active mode and it is blocking other malicious traffic. We find out the attack string in the URI from the web server access log, so they should not be altered by the browser. Specifically for the previously attached request traffic, the attacker was using an OpenVAS Scanner 9 user agent to send out the request. Just wonder why these are not blocked. 




    ------------------------------
    Ken Chau
    IT Manager
    ------------------------------



  • 4.  RE: Directory traversal attempts not blocked

    Posted 10-18-2022 07:14
    Hello Ken,

    Thank you for the details, if the request is not getting modified by the browser then it should block, i quickly tested in my lab, by sending the same request and its getting blocked by WAF,



    Better to take a pcap(trace) on the WAF while performing the test on the incoming interface and check the http request, that will be more clear.

    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 5.  RE: Directory traversal attempts not blocked

    Posted 10-18-2022 17:02
    Few additional things to check:

    1. The protected IP is in the server group
    2. The source IP is not part of the ignore IP groups.

    Make sure that the path to the web server is only though the WAF and not taking another route.

    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------



  • 6.  RE: Directory traversal attempts not blocked

    Posted 10-24-2022 21:37
    Hello Sarvesh,

    Both conditions mentioned are met and traffic is going through the WAF to web server and not taking another route. By the way, may I know what is the signature to block the / and then 3 dots?

    Thank you.

    ------------------------------
    Ken Chau
    IT Manager
    ------------------------------



  • 7.  RE: Directory traversal attempts not blocked

    Posted 10-31-2022 15:01
    Hello Ken,

    We have multiple signatures matching this pattern, as shown in the below screen shot,



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------