Liran Tal === [00:00:00] Paul: hi there and welcome to Pod Rocket, a web development podcast brought to you by Log Rocket. Log Rocket helps software teams improve user experience with session replay, error tracking, and product analytics. Tried for free@logrocket.com today. My name is Paul and joined with me is Lial. He's the director of developer advocacy over at sncc. He's here to chat about his recent conference talk, the Char Wars, the Path Traversal Strikes Back. And man, I'm excited to talk with Liran. We were mentioning before we hopped into the podcast today, like it's generally new topic for me. What is Path Traversal? Why is it dangerous? We're gonna be getting into that today. , but really quickly, besides being a JavaScript enthusiast, no JS developer Liron has been building applications command line tools for over a decade now. He's received the Open JS Foundation's Pathfinder Award for security and his work, and he just loves elevating other people around the planet. If you check out his GitHub content, rich, full of awesome posts just and projects, welcome to the podcast later on. It's awesome to have you. Liran: Thank you for having me, [00:01:00] Paul. And what an amazing intro. I couldn't have done any better at myself. Paul: I hope it conveys my excitement to get into this. Like I mentioned in the intro, we're gonna be talking about path traversal, and , you mentioned all over your GitHub. You are a no JS guy. So before we step into this is just, is this only no js, , this is a lot of stuff. It applies to a lot of domains, right? Liran: Pat reversals. Yeah, that security concept is definitely, , transitionary, , between, , different ecosystems, languages, and so , , it's a good gem to basically understand how that works so you can, uh,, build some secure code. Paul: And I, I don't know what , domains we're gonna be talking about in the context today. I'd love to talk about what domains this might affect, but , to get into it, what is path traversal Iran, and why is it something important that we wanna crack into today? Liran: Let's start with like, why is that important? Because I think, developers are, made aware of like general public concerns, things like, they see, , vulnerabilities when they install, stuff with N P M audit. Maybe they think, , or hear about, malicious packages at times when they install packages and. That's all kind of the things that are, , top of mind. The [00:02:00] cybersecurity news, the stuff on, on, newsletters and whatever. , but specific, insecure coding conventions that, may end up as like actual vulnerabilities. Like bat traversal are not the stuff that you always see. , at the gist of it, the very kind of , the raw, , definition for it is Pat reversal or, , , also known as like a directory reversal as well. , it's a thing that exploits, , those, , secure, insufficient security validation I would say. That, , when you do not sanitize your inputs, , and, , they might be, in user generated from, users using your application. , things end up traversing to parent directories or, , actually like looking for files on the file system. Those kind of like inputs, they end up into very sensitive APIs. Things like, child process or , , , , pat, , modules, , that end up, reading files and saving them on this and stuff like that. So as you can coordinate pat and stuff like that, at the end of the day, that may actually end up with, , someone being able to, , as it says, traverse a directory, which essentially means they can [00:03:00] access files that you don't really want them to be able to access. Paul: boundary right at the end of the day. My file system. Liran: Yeah. So exactly that, if you do not have that boundary in some way, , you sanitize the input, , you use. Maybe correct way of using APIs to basically, , concatenate bats, , in a secure way. , then you end up like going outside of the boundary of what the application should actually provide you. The image file that you downloaded or uploaded or something like that. And then you can access, uh, , things that you don't wanna access, , that you know, , things like, your config, that jsun all of your api, your database credentials, everything there. , that's pretty much the right definition for this. Paul: So , , you talked about , path traversal in your talk. The Char Wars, the Path Traversal strikes back. . And if we're talking about a new concept, and I wanna model, in my head, I want to know what's an example of something that happened in the real world or like what are some inspirations about why you are presenting something the way it is? So if we could maybe start with, why did you call it? The Char Wars and why did you say the [00:04:00] path reversal strikes back? And then I would love to dig into if there's like an example that you had in that talk maybe that inspired the name Liran: , I'm a huge Star Wars fan. , so I guess, , that kind of like came back from Star Wars and, the Empire strikes back at that. Specific episode, and it's like the way I felt , , with battery reversal as a vulnerability because as a security vulnerability, if you like, scan your dependencies or something like that, you would probably rarely see, a batch reversal vulnerability. , it's not that common. , if you even look at like, the which is kind of a standard, not really a standard, but , a list of, , web security risks that you should be aware of, the top 10 concerning of them. , it's not even listed there, so like, why are we even talking about it? That is like where I was going with this, where, , it can actually, strike back, it can actually, , be very, , brutal in terms of the impact of a Pat Traversal attack. , and I was I guess the Star Wars inspiration came in and char Wars is, characters and that's like how you use, different, , character and coding , to actually access, , file [00:05:00] system, , paths. Paul: So when you say we're talking about encoded characters obviously there's the U T F A and SK boundaries and encodings that you can go through. But when you're mentioning like sticking on andin. A path and accessing a directory. I'm thinking about simply that concatenating a string, maybe injection or something. But when you mentioned in something being coded, is there another layer that we need to peel back here about a whole? I like under the user land of no JS sort of level about how a path reversal could happen. Liran: So the funny thing about Pat Reversals, , is that to actually execute, to actually employ a pat reversal attack. Like just the attack, that's the payload itself is like very, , straightforward. You essentially, traverse the directory. So if you're trying to, , access like an image file on, some server, , so you. The whole http scheme, the address, the domain, and then, slash you know, maybe public slash , some image file that p and g or whatever. And if you wanted to traverse back and see if you can access, , , say sensitive files, that server [00:06:00] might be leaking, , accidentally of course, , maybe you go and try and access, dot.slash.dot/you know, config that Jason or something like that. So the actual payload is simple to an extent to, be able to try and access those kind of sensitive files. And so this is kinda like where we're, starting to, , get more, , HandsOn with Hey, but what if, , the , developers, on the application side actually putting mitigations control and actually looking at, dot slash is dot part of the. Request. U r l right. The pat being requested. I'll deny it. , and then comes in all the fun stuff with U R L and coding, which circumvents the whole process altogether. And then everything falls down, breaks apart, and pat Reversal happens. Paul: Whoa. I feel like a lot just happened in the last 15 seconds. Later on. So you mentioned U R L encoding and then pat traversal happens. Can we like rewind the cassette tape and start right there? Liran: Definitely. Paul: Yeah, what happens with, URL encoding. And why is that significant? Liran: Coding , , is a method, is supported by the spec, by the internet for, in a sense. [00:07:00] And we can actually use that to circumvent, any kind of , , , pat mitigations that have been, added as a security control. And so what I mean by that is essentially if you have a file name or your first and last name and you wanna put that in the url, , and you want to replace a dot, with its actual encoding to transfer that as a.to, to say this is a dot, , you can, you actually use, percent to e in the URL so you can actually access files like, slash public slash LIRAN percent to E. And then , you know, if you signify, you symbolize to a system, you're trying to access a file that's named Liran Dotel and the whole, browsers, servers around the whole HTP spec. , and that layer of the networking stack knows that it needs to decode, , R L. That have been encoded like the percent two e kind, like imagine there's like a red reject going on behind the scenes. And then it decodes that and say, okay, , I'm actually supposed to access a file called slash public slash iran.do, because, , that's what, , the percent two e encoding kind of like symbolized. Paul: I was just gonna add, if [00:08:00] anybody is listening and you're like, what are these guys talking about? Copy and paste the share link for this podcast and put it, and you can see percent two, F percent, two E, like those are all URL encoded parameters. And later on, correct me if I'm wrong, but we're talking about those specific encodings right here that - find in the interests part from the url. Liran: Yeah. Paul: And so essentially when we have these encoded parameters, it adds an extra layer of abstraction. You're saying when the developers, it's like should I check for how this is encoded? If I'm doing a manual like parsing of the H E T P request? It's something that you need to be aware of, , where people can inject almost parameters and.dot slash.dot/. Liran: This is kinda like where, , things go a bit fuzzy in terms of, , who's the responsibility in terms of as an application developer. , like where does the responsibility lies when you manage, those kind of if I'm using, , a library that, , is all like static or, SD whatever, right? If you're using a library to serve static files, , I dunno like. Potentially, you might think that it is the responsibility of that library to protect against it. Maybe it has this tuggle that you need to enable secure mode is true or whatever. Hopefully you don't need to [00:09:00] actually turn anything on, , because you'll have security by default. But yeah, that's it really depends. Are you the person actually, , implementing the file access, or file management, , part of things. And if not, and even more, it's it's not just. Serving static files. Think about , the aspect, like a capability that you have as, allowing users to upload files, all those files, if you manage the upload on a node server, , you actually receive the input you have to save the files somewhere. So then again, you go into that problem of concatenating, , file system strings like, I dunno, slash TMP, whatever. , and then you know, the file that was uploaded and what happened if. , I am using like a form upload, , and then a multipart form upload and I'm actually like updating and modifying that. The file name is not really, , Yoda, p g, but actually that, that slash Yoda p g. And then you are taking that, , and not maybe thinking about actual security implications that well, someone could actually control that because that's user input. Paul: Do you feel like this is, coming back to the naming of your [00:10:00] talk. This is like a, an oversight of the industry as a whole, and that's why it's coming to strike us back almost. Liran: It's the type of vulnerability , I've been having , lots of fun just exploring myself. I've been doubling and doing a lot of security research, so I've been, Looking at a lot of code that has those kind of vulnerabilities. , and definitely about few years back, , I think pre 2020, there's been, , significant, , evidence of a lot of like controversial vulnerabilities , , being found disclosed. And that's based on, , kinda like an accumulated research that, like a aggregate research that was, specifically looking at. , finding vulnerable codes, patch reversal, and then it like found 200 of those, n p m packages and, disclosed all of those. , and those things actually happen. If you look daily at , vulnerability fits, , on a daily basis you'll find, new vulnerability is, , some of which are patro Russell as well, I guess even more than that. It's that impact that Pat Reversal has. , , in that talk I gave, it actually , , has this, , , evidence or like a reference for how like a male server , , was actually abused, , [00:11:00] via a kind of batch reversal vulnerability. They started a whole exploitation through batch reversal, and they have escalated that attack. Into remote code execution, which is, , when you talked about like the impact in the industry is, people , think, petal is a very, simple vulnerability. But it's actual impact if someone is able to exploit it, is potentially very wide. And it depends on how your application server is actually built. If it has the right file system permissions from the get-go, if you save, , sensitive , files on the file system like, you know, config json API DB or whatever, and you have credential and I can access them, that's not exactly a good thing. Paul: I would love to ask you about something that has happened in the real world that might relate to path reversal. , but before I do that, I just wanna take a quick second to remind our listeners, , that the podcast is brought to you by Log Rocket. Log. Rocket offers session replay. Issue tracking for your front end, full stack application and product [00:12:00] analytics to help you quickly surface and solve impactful issues affecting your user experience. So if you wanted to try to debug your app and empower your teams, head over to log rocket.com and try it out today. So SNCC as in general at the company you guys, , deal with static analysis and looking at packages , and I know a host of other things, , but it's up the vein of security and making sure there's good hygiene. , does this play into your day-to-day work the company, looking at the patch reversal vulnerabilities and building it into your products? Liran: Yeah, definitely. , , there's like an interesting story as well there too because, , we had kind of like embarked on a research about two years. Yeah. 2021. We had this, , research where we were, , Looking at vs code extensions and trying to see if there's around the whole supply chain security and see if there's like, malicious packages, just general things like that. , as developers, like if I ask you right, like you're, uh,, always like trading, Hey, what's your theme? What's your, favorite vs code extension? And like developers, , , exchanging those.[00:13:00] So we looked into this and,, uh, we found that extensions that , , they had security vulnerabilities inherent in the extension itself. Now as as a developer using the i d E as like a tool, when you excel an extension, you don't think about. The impact of a of, a set extension, having a security vulnerability, right? That's okay, whatever. I don't deploy these to production. Doesn't really make sense if it has any. I don't mind, , I, I'm seeing you nodding and, saying, no, you don't mind. So I'm taking that Paul: no. I'm in total agreement here. If I see an extension, I look for 4.8 stars or more, and that's it. Like Liran: download counts too. Paul: Yeah. Of course. and if you get a download count of under 500, you're special. , you're into some, , niche stuff yeah. But please, Iran. So what happens when you Yeah, you're not paying attention. I'm not paying attention. The people listening aren't paying attention. What are we up against Liran: , Yeah. Yeah. So what ended up happening is that, ,, we found , , several extensions having some vulnerabilities and, a vulnerability as literally as simple [00:14:00] as a patch reversal vulnerability. , but, , , the sneak security researchers were able to come up with potentially like a zero click, , , , payload, like an exploit that, uh, the fact that you have like a pat reversal vulnerability and, , takes that, escalates this up. And actually that ends up being, , either, , a potential, uh,, thing like, command injection or, , just like accessing your files, like you just leak them and and so, so far it's okay, so , how does that actually happen? And They've used, , very interesting techniques also that you'd have , , to actually, , circumvent how, security protocols like, cores and standards like that actually work in the browser. So that actually made things a bit harder to exploit that. , but one of those extensions was like, , open a file as arrhythmia and like just view it under the right pain of your ide, which , I do that sometimes. I don't need to like, commit it and then see it and get up right. And this thing, it works in a very simple way. It like literally spins off. A web server that's runs locally so that it can render as a web [00:15:00] view the markdown to ht m l. Now you understand there's like paths involved, right? Because it needs to take, theh me as an input, , and then render that as a server, , as like a web server thing and so on. And that has a Pat traversal vulnerability. And that is something that, , we have like a recording of this and, , I've, I. Often demo this as well during this talk where, , if you're a developer and you have your I d E Open, which who hasn't, , then I can send you a link. And the moment that you click on that link, I can access any file that I want on your machine, on your developer. Environment, laptop or whatever that is. And literally the only thing you need to do is click and visit that link. So I can plant that on, some, Reddit or stock overflow or just send it to you as some DM and in some phishing attack or whatever. , but essentially that is game over and. This is due to the fact that the VS code extension has this vulnerability that allowed me to fool it , and exploit that vulnerability and access any file on disk. And all of that [00:16:00] really happened really just due the fact it has that patch of vulnerability. So that story comes back into what we're building at Sneak Dayday as well, because we are also building developer, , for security tooling, which means that, when you fire up your ide, if you have the sneak extension installed, , then we kinda like show you, hey, there's like a potential, you know, insecure coding convention here and you can see how other repositories have fixed it and so on. That is pretty cool. But the really cool story of this whole story coming , full circle here is , we clone the repository of that vs code extension that was vulnerable to Pat Reversal. Then we kinda like, you know, scanned it as it was in the I D E and it pinpointed, , , several lines of code that had the vulnerability of Pat reversal. So essentially if you were,,, the extension developer. And you had used the tool, you could have mitigated the whole vulnerability while coding it. So it's an interesting way of seeing how those kind of like little things when you find them back at your, i d e at your, code writing level, , part of the process of , , [00:17:00] software development process , , is very critical. Paul: And you mentioned , maybe two or three times now on the podcast that like Pat Al at its core is a simple concept to wrap your head around, like you're accessing a directory you're not supposed to. , and it has like profound consequences here. , And in this example that you're giving us where they have the VS code extension, you can access any file. It sounds like this is not so simple because you need to open up a web server. Like Do you have to, like forward ports or something to make the web server relay to the open network. Liran: , not specifically, for that vs code extension. There's like a deep dive that has a bunch of flow charts explaining how it happens. That specifically is like a tough one to crack because the web servers on, you know,, unlike local host addresses. And so , if I'm sending you some like malicious link that I control, I can't just get you to access, local host because Of course. And all of those kind of things. there's like a nice, interesting game of, , we're literally like port scanning the actual ports that the web server listens locally within JavaScript and trying to [00:18:00] access it. And there's like an eye frame to , To, , escape , , from some security sandboxes. And there's like an interesting, , , reading material on this. Definitely. , but this is really just in the case of the vs code extension, running locally as a web server. , if you take it from that concept to the Apache web server, right? That's a web server that has been built, , since two decades or whatever. And like recently, let's go to like, again, patch reversal here, and you asked like how popular it is or what's that impact like? , , Apache had a vulnerability back in 2022, , of Pat Reversal and, there was like, Obviously amazing, brilliant developers working , in the Apache Foundation, on the Apache project. And, they have missed, secure coding conventions in that sense. And if to make things like worse or like to think, why is it so serious? . That vulnerability is actually the pattern of Russell vulnerability actually due to the fact that, , a prior fix to another vulnerability was not properly implemented. So you can also understand like how to write secure code or like , how to use the APIs correctly. Do all the validation, do the pat [00:19:00] concatenation in the right way, decode from URLs. All of that has to be, very like perfect, laid in. Otherwise you get all of those Patch Russell vulnerabilities and insecure coding conventions coming in, creeping in, and vulnerabilities have that. Paul: Now if you're using the sncc, Extension or maybe you're using other static analysis tools, like it has to look at your code, it has to have some knowledge. But we're talking about context and almost like AI level tooling here that helps you as a developer and from your perspective is detecting and pointing out path traversal in any way more complicated than, a typical H E G P security standard that you mentioned at the beginning of the podcast might be the forefront. Of our minds of developers, cuz it almost feels like I'm bringing back to, oh yeah, it's a simple concept under the hood, but like detecting when it can happen and where those areas of friction could exist. Sound sneaky. Liran: I think it's, it's still. You still get the right context that like , if you see the vulnerability outlined by, you know what like, [00:20:00] again, like the think extension or something else that does study code analysis it's straightforward to understand. I think , from like the secure coding perspective, like the fact that, there is potentially, , some input that may escape, but at the same time there's still some kind of like background that you would need to have to understand Lake world, what is batch reversal and what can someone send in to me as a, developer, like to the app, how will my application behave if they get, you know, a weird kind of input, right? Not what I intended them to, support. And I think from that, , specific, , , perspective. It's not very hard to understand, but sometimes we just don't think about it. Like, how many times, , have you thought of when you unzip, , an archive? I can actually plant, , , like a Pat Traversal link inside the archive. So when you. Uncompress it when you , unzip the archive or whatever, it'll actually right outside of where you are intending to do it. And I think the awareness, thinking of how, , things can break is a [00:21:00] mindset that developers have to adapt to, , to just generally be open to understand, hey, yeah, of course something can probably go wrong here, , because you know this and that may happen. Paul: So if people walking away from this podcast today wanted to improve the general awareness, or specifically about past reversal, just learn more specifically about past reversal. , does Snic have blogs and resources out in leron? Do you have favorites? , what be it, YouTube videos, blogs you've written, , that you might wanna point listeners to, to go learn more? Liran: Yeah, . I think we started off with this is based off of, the whole, this is like a new talk based, , , on Pat Reval, in node conf you, when we , had this presented at. And I think, that's a. Really good way to just, understand , , what is this in like a visual way as well, if you needed to, and seek out examples. , , you asked me about my favorites and I'm gonna, share again. , sneak Learn is like a really great resource. , that provides really bite sized, , small lessons for developers that's like very interactive and they are, , very technical yet very small. So if you do not know what batch reversal is, can, just Google Sneak [00:22:00] Learn Patch Traversal, something like that. You lend on this like webpage that looks, like an interactive lesson. You don't need to sign up to log in anything. It's, completely free and you can learn that for, Java and JavaScript. And I highly recommend that as like a learning resource. Paul: Awesome. So it was Sichler and S N Y K. Liran: Yeah, you should probably just go to like learn.sneak.io and you'll find it there. Paul: Awesome. And Leon, what's your favorite vs. Code extension? Liran: There we go. Paul: Yeah. Liran: Anita's gonna come in at one point. , What is it? , there, there's one , , by a lovely developer , it helps me do, , screenshots. , I think it's called, , . I forgot the name. I think it's called Screen Down. , but we'll add it , in the links afterwards. , so you can use that. I very much enjoy that. Paul: I love that we're talking about . All the extensions in all the planet, and there's so many things coming out, and we're talking to one of the guys who's on the forefront of what's going on in the JavaScript ecosystem. And he says, my favorite extension [00:23:00] takes screenshots for me. And we're gonna end with that. Leon, if people wanted to follow you or , do a Twitter, do you have a Twitter? Do you post on Twitter? Liran: Yeah, I'm a regular leader, , so Twitter slash liran Cortel, or in GitHub, just Liran. Paul: Thank you for your time. It was a pleasure. Liran: Thank you.