Skip to main content

Block Archive Directory Traversal

· One min read
Contextal Team
Contextal Team
Contextal Platform Creators

The malicious directory traversal has been exploited for years by threat actors, taking different forms, such as Zip Slip.

We propose a scenario, which triggers a BLOCK action, when a filename inside an archive starts with ../. This approach proactively prevents any attempt to exploit directory traversal by blocking archives with files that attempt to escape the intended extraction directory. The checks are performed within archives and compressed files, such as Gzip, Bzip2, LZMA, 7z, RAR, ARJ, CAB, ZIP, and Tar.

info

Click on the download button below to get the scenario and then upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)

Directory-Traversal.json
{
  "name": "Directory Traversal",
  "min_ver": 1,
  "max_ver": null,
  "creator": "Contextal",
  "description": "Block archive directory traversal.",
  "local_query": "(\n  object_type=\"Gzip\" ||\n  object_type=\"Bzip2\" ||\n  object_type=\"LZMA\" ||\n  object_type=\"7z\" ||\n  object_type=\"RAR\" ||\n  object_type=\"ARJ\" ||\n  object_type=\"CAB\" ||\n  object_type=\"ZIP\" ||\n  object_type=\"Tar\"\n) && @has_child(@has_name(starts_with(r\"../\")))",
  "context": null,
  "action": "BLOCK"
}