The article mainly belongs to the professionals who are working as developer or engineer in startups and small firms. Where, they might be the only person who managing all thing like Analysis, designing and coding. In short we can tag them as DevOps Developers. 🙂
This category of attacks exploit various path vulnerabilities to access files or directories that are not intended to be accessed. This attack works on applications that take user input and use it in a “path” that is used to access a filesystem. If the attacker includes special characters that modify the meaning of the path, the application will misbehave and may allow the attacker to access unauthorized resources. This type of attack has been successful on web servers, application servers, and custom code.
Suppose you are writing nodejs application to access the user specific folders from server and display the content to requesting client. Assume that you have created custom URL something like.
There might be a possibilities than it may reveals file list from system folder if you haven’t applied filters, by altering path like.
http://files.xyx.com/%systemRoot%.
It’s possible to overcome such kind of flaws by applying filters, like creating excluding list or by creating application specific rules like forbidden access to system folders or drive.
Sometime such small flaw impact hardly. So awareness about security is primary necessity for developers.
*** Happy Coding *** (Y) 🙂
Sunny Patel 