rules/web/web_path_traversal_exploitation_attempt.yml

title: Path Traversal Exploitation Attempts
id: 7745c2ea-24a5-4290-b680-04359cb84b35
author: Subhash Popuri (@pbssubhash), Florian Roth (generalisation)
date: 2021/09/25
status: experimental
description: Detects path traversal exploitation attempts
references:
  - https://github.com/projectdiscovery/nuclei-templates
logsource:
  category: webserver
detection:
  selection:
    c-uri|contains:
      - '../../../../../etc/passwd'
      - '../../../../windows/'
      - '../../../../../lib/password'
  condition: selection
falsepositives:
  - Happens all the time on systems exposed to the Internet
  - Internal vulnerability scanners
tags:
  - attack.initial_access
  - attack.t1190
level: medium
refactor: removed old Joomla rules, made generic path traversal 2021-09-25 11:37:02 +02:00			`title: Path Traversal Exploitation Attempts`
docs: new ID 2021-09-25 11:37:39 +02:00			`id: 7745c2ea-24a5-4290-b680-04359cb84b35`
refactor: removed old Joomla rules, made generic path traversal 2021-09-25 11:37:02 +02:00			`author: Subhash Popuri (@pbssubhash), Florian Roth (generalisation)`
docs: new ID 2021-09-25 11:37:39 +02:00			`date: 2021/09/25`
refactor: removed old Joomla rules, made generic path traversal 2021-09-25 11:37:02 +02:00			`status: experimental`
			`description: Detects path traversal exploitation attempts`
			`references:`
			`- https://github.com/projectdiscovery/nuclei-templates`
			`logsource:`
			`category: webserver`
			`detection:`
			`selection:`
			`c-uri\|contains:`
			`- '../../../../../etc/passwd'`
			`- '../../../../windows/'`
			`- '../../../../../lib/password'`
			`condition: selection`
$frack113$ Fix optional section name 2021-11-27 11:27:40 +01:00			`falsepositives:`
refactor: removed old Joomla rules, made generic path traversal 2021-09-25 11:37:02 +02:00			`- Happens all the time on systems exposed to the Internet`
			`- Internal vulnerability scanners`
			`tags:`
			`- attack.initial_access`
			`- attack.t1190`
			`level: medium`