-3

Are path traversal attacks possible if attacker is not authenticated in web-application?

Martin
  • 411
  • 2
  • 8
  • 16
  • 2
    That depends on the implementation. You need to provide more specific details to get a better answer. – bayo Aug 13 '15 at 15:11

2 Answers2

1

Absolutely. It just depends on what your requirements are for a user to be able to upload a file. If only authenticated users are allowed to upload files then it shouldn't be possible. If anyone can upload a file then, yes, unauthenticated users can do it.

Read up more on path traversal here: https://www.owasp.org/index.php/Path_Traversal

It is only an attack on the underlying file system and has nothing to do with being authenticated or not.

Abe Miessler
  • 8,195
  • 11
  • 49
  • 73
1

Of course because such attack consists only in trying to find absolute path to some sensible and informative files your website may host. This operation does not require any authentication criterion.

Such attacks are easily done successfully on websites that do not use, for instance (just an example) an .htaccess file where they should specify restrictions to access certain folders/subfolders and files on their server.

Note that this attack is also known under the name of Directory traversal attack. It will be nice if you search about the various methods used to prevent this attack in case you own a website (or want to have one)