Interesting Alert on Path Traversal attack technique

[Jon Ford]

The State file can be found at https://drive.google.com/file/d/0B1ru_z5GjI78OXE5SXRkR0xUSDQ/view?usp=sharing

I'm trying to understand an alert on a Path Traversal that Zap produced.  The references that are applied make no reference to the type of attack that was applied.

The test was ->  /thisshouldnotexist

This resulted in a URL like -> http://192.168.1.106/search/advanced//thisshouldnotexist

The result of that URL returned the same results as http://192.168.1.106/search/advanced/  would return as a 200 response.

A test with only one / -> "http://192.168.1.106/search/advanced/thisshouldnotexist" results in a 404

So my question is what path traversal technique is being tested by applying a second "/" to the URL?  I cannot find any reference that displays a "//arbitrarytext"  as a test for Path traversal or explains what is happening with this test.  After a discussion with thc202 in the freenode channel for OWASPZAP it has been theorized that this might be an error. 

[Chat Session discussing the issue]

<palpatine> ZAP performed a Path traversal tst that I do not understand.  Hoping someone can point me to a resource to explain it.  the attack was http://example.com/somepage//thisshouldnotexist   this attack works in the sense that it returns somepage. /./ does not and /../ does not  

<palpatine> Im not really sure what is happening file structure wise with the //

<palpatine> This particular test is not found on the site, or in the testing guide

<thc202> palpatine, which input vectors were selected?

<thc202> was the value exactly "thisshouldnotexist" ?

<palpatine> thc202: Injectable Targets [URL query String, POST Data, URL Path, HTTP Headers (not All requests)] Built in [Multipart Form-Data, XML Tag, JSON, Google Web Toolkit, OData ID, Direct Web Remote]

<palpatine> scan policy is Default

<thc202> ok, and the value injected?

<palpatine> GET http://192.168.1.106:80/catalogsearch/advanced//thishouldnotexistandhopefullyitwillnot HTTP/1.1

<palpatine> the //thishshouldnotexist is the part that was added to the url

<palpatine> it returns the same as if the //thisshouldnotexist was not added, however if a . or .. is placed between the // then it 404's

<thc202> need to check the exact behaviour of the scanner with input vectors selected, that value is being injected just to check the behaviour of the target server on missing resources

<thc202> supposedly just one slash should be being added

<palpatine> you are correct, it is actually adding /thisshouldnotexist to the url 

<palpatine> What i dont understand is what is happening on the filesystem side that causes it to ignore the /thisshouldnotexist and return the page before the /

<palpatine> the application will return the same page for advanced as for advanced/ or advanced// and advanced//somearbitrarystring

<thc202> I meant that the scanner should test "advanced/thishouldnotexistandhopefullyitwillnot" not have both //

<thc202> but, the behaviour that you are seeing is interesting

<palpatine> if only one slash is included then it returns a 404

<palpatine> if two are included it returns the page prior to the slashes

<thc202> right, the scanner was testing that case, 404

<palpatine> in fact any number of slashes more than 1 will return the page before them

<thc202> do you know the server being used? that might be the expected behaviour(?)

<palpatine> its a magento OVA on ubuntu

<palpatine> Why would ZAP see this as a vulnerability?  What filesystem behavior is it trying to test?

<palpatine> https://imagebin.ca/v/34nnsbnFY0Lh

<palpatine> screenshot of zap

<thc202> did ZAP raise an alert for that?

<palpatine> High Risk Medium Confidence

<palpatine> the attack was /thisshouldnotexist

<thc202> seeing the screenshot now

<thc202> hm, is there a URL like /catalogsearch/advanced/result ?

<thc202> the server returning OK for that test might be misleading the logic of the scanner and be a FP

<palpatine> adding "/result" returns a 302 back to advanced, where //result will return a 200

<thc202> ok, thanks, could you post this case to zaproxy...@googlegroups.com ? I'll check why exactly is the scanner raising the alert

<palpatine> Ok.  Any issue with me including this chat in the post?

<thc202> no

[kingthorin+owaspzap]

Not sure if this is a contributing factor or not but I noticed in your screenshot that the user agent was DirBuster which means the base request which the Path Traversal operated against was made by the ForcedBrowse addon.