Full Report
Web servers are not exposing files on a server in a simple way anymore. Instead, they use proxy's, load balancers and fetch responses from other servers locally. Weird application routing can be used to cause some major havoc. How do we identify these types of routing when we're blind? Using directory traversal and fuzzing for control characters (#,?,&,/,.@) is a good way to find this. Another detection is changes in response for certain directories, such as the headers of a response changing. Finally, stack traces or wrapped responses can be good here as well. What kinds of security issues can we find with this? Data being served across extra layers causes weird issues. HTTP smuggling and CRLF injection can be found in some weird places. Second, since developers don't expect users to be able to control parameters and paths here it causes uber havoc on the endpoint. Adding debug flags or traversing up the directory can access unintended functionality. Information disclosure is a bad one here as well. Internal HTTP headers and access tokens come to find. SSRF from here is dangerous to return data instead of asking the internal network. What types of issues will we run into as a hacker? Directory traversal may not work - not everything will handle these. Another thing is that some servers will still be authed with the same headers or cookies as the original request, making nothing exploitable. A difficult part is guessing the paths, mostly because this is blind. To get around this, we need to have a good context of the rest of the application, brute forcing and a bunch of guess work. Sam has a ton of case studies of this. One interesting case was with Authy (2FA) integration with Pinterest. The application was only checking that the request returned a 200 and the response was {"success":true}. When taking the code from the user and verifying it within Authy, there was a directory traversal on this. To exploit this, simply using ../sms for the 2FA code would return success to bypass the 2FA! A classic case was a directory traversal in invoice routing. If you knew somebody's email on this back-end service, you can traverse back up twice, place an email, place an ID and get invoices cross account. A few takeaways for me. First, these types of bugs are out there but are difficult to triage what to do next. Innovations on the blind discovery of things would be amazing for bug hunting. Next, sanitization is hard for URLs in these cases with extremely complicated bugs. Overall, great find!
Analysis Summary
# Tool/Technique: Blind Routing Exploitation via Path Traversal
## Overview
This technique involves identifying and exploiting inconsistencies in how modern web architectures (proxies, load balancers, and backend microservices) route internal requests. By utilizing directory traversal and control character fuzzing, attackers can bypass security controls—such as 2FA or authorization checks—by reaching unintended backend endpoints that the developer assumed were unreachable by end-users.
## Technical Details
- **Type:** Technique (Web Infrastructure Exploitation)
- **Platform:** Web Applications / Cloud Infrastructure (Agile/Microservices)
- **Capabilities:** Authentication bypass, SSRF, Information Disclosure, CRLF Injection.
- **First Seen:** N/A (General web vulnerability; specific case studies involve Authy/Pinterest integrations).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- **[TA0006 - Credential Access]**
- [T1550 - Use Alternative Authentication Material]
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery]
- **[TA0010 - Exfiltration]**
- [T1567 - Exfiltration Over Web Service]
## Functionality
### Core Capabilities
- **Path Traversal/Normalization:** Using `../` sequences and control characters (`#`, `?`, `&`, `/`, `.@`) to manipulate how a proxy forwards a request to a backend service.
- **Header Analysis:** Monitoring changes in response headers or stack traces to identify when a request has hit a different internal routing layer.
- **Parameter Injection:** Exploiting the fact that backend services often trust forwarded parameters, allowing the addition of "debug flags" or unauthorized IDs.
### Advanced Features
- **2FA Bypass:** Manipulating API routing (e.g., forcing a 200 OK response by traversing to a different API endpoint like `/sms`) to trick the application logic into validating a failed login.
- **Cross-Account Data Access:** Using double traversal sequences to move between tenant contexts on the backend service to access sensitive files like invoices.
- **HTTP Smuggling/CRLF Injection:** Exploiting discrepancies in how frontend/backend servers parse request lengths or line endings to inject malicious commands.
## Indicators of Compromise
- **File Hashes:** N/A (Technique-based)
- **Network Indicators:**
- Requests containing excessive URL encoding or traversal sequences (`%2e%2e%2f`).
- Unexplained `200 OK` responses for known invalid API paths.
- **Behavioral Indicators:**
- High frequency of `404 Not Found` or `403 Forbidden` followed by successful requests with `/../` segments.
- Responses containing internal stack traces or leaked headers (e.g., `X-Internal-Token`).
## Associated Threat Actors
- **Bug Bounty Hunters / Ethical Hackers** (Common in disclosure reports).
- **Advanced Persistent Threats (APTs)** seeking initial access via edge-device exploitation.
## Detection Methods
- **Behavioral Detection:** Monitoring for high rates of "4xx" errors followed by a "200" on a suspicious path containing special characters.
- **Signature-based:** WAF rules targeting `../`, `..%2f`, and control characters within the URL path rather than just parameters.
- **Anomaly Detection:** Identifying shifts in response headers (e.g., a "Server" header changing from `Nginx` to `Internal-Jetty`).
## Mitigation Strategies
- **Path Normalization:** Ensure that the proxy/load balancer and the backend service normalize URLs identically before processing.
- **Strict Input Validation:** Disallow control characters and traversal sequences at the edge.
- **Identity-Aware Routing:** Do not rely solely on the "path" for security; implement robust session validation that persists across internal service hops.
- **Backend Hardening:** Backend services should not implicitly trust headers and should perform their own authorization checks.
## Related Tools/Techniques
- **SSRF (Server-Side Request Forgery):** Often the end goal of routing exploitation.
- **HTTP Request Smuggling:** Used to desynchronize the frontend and backend.
- **URL Fuzzers:** Tools like `ffuf`, `dirsearch`, or `Burp Suite Intruder` used with custom wordlists of control characters.