Detection: Encoded Path Traversal
Overview
Detect when a web server received requests with URL-encoded or otherwise obfuscated path traversal patterns. This detection focuses on identifying path traversal attempts that use various encoding methods to evade basic security controls, making it effective at catching more sophisticated attacks.
Attackers use encoding techniques to bypass simple pattern matching and security filters when attempting path traversal attacks. Common encoding methods include URL encoding (percent encoding) where characters are replaced with their hexadecimal ASCII values (e.g., ../ becomes %2e%2e%2f), double encoding where already encoded values are encoded again (e.g., %2e becomes %252e), Unicode/UTF-8 encoding using the %u notation (e.g., ../ becomes %u002e%u002e%u002f), and backslash variants particularly targeting Windows systems (e.g., ../ becomes ..%5c). These encoding techniques are often combined with other evasion methods like path normalization tricks and null byte injection.
When this detection triggers, security teams should verify if the access attempt was successful, analyze what files the attacker was attempting to access, implement a web application firewall with rules to block encoded path traversal, use proper input validation with allowlists rather than denylists, apply the principle of least privilege for web server file access, patch and update web applications and frameworks, and implement proper file access controls. False positives may occur with applications that use encoded characters in URLs for legitimate purposes, language or internationalization features that use Unicode characters, frameworks that use URL encoding for special characters, and content management systems with complex URL structures.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.encoded_path_traversalSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.encoded_path_traversal --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere request_uri is not null and ( -- URL encoded traversal sequences request_uri ilike '%..%2f%' or request_uri ilike '%..%2F%' or request_uri ilike '%..%5c%' or request_uri ilike '%..%5C%' or request_uri ilike '%%2e%2e%2f%' or request_uri ilike '%2e%2e/%' or request_uri ilike '%2e%2e%2f%' or request_uri ilike '%2e%2e%5c%' -- Double URL encoding or request_uri ilike '%%252e%252e%252f%' or request_uri ilike '%%252e%252e%255c%' -- Unicode/UTF-8 encoding or request_uri ilike '%..%c0%af%' or request_uri ilike '%..%e0%80%af%' or request_uri ilike '%..%c1%1c%' or request_uri ilike '%..%c1%9c%' -- Overlong UTF-8 encoding or request_uri ilike '%..%c0%2f%' or request_uri ilike '%..%c0%5c%' or request_uri ilike '%..%c0%80%af%' -- Hex-encoded or request_uri ilike '%2e2e2f%' or request_uri ilike '%2e2e5c%' )order by tp_timestamp desc;