Directory traversal (also known as path traversal or dot-dot-slash attack) is a vulnerability that allows an attacker to access files and directories stored outside the intended folder on a server. By manipulating file path inputs with sequences like ../, an attacker can navigate up the directory tree and read, and sometimes write, arbitrary files on the system, including configuration files, source code, and sensitive data.
How It Works
Web applications often accept file names or paths as parameters to serve files, load templates, or process uploads. When the application uses this input to construct a file system path without properly validating that the resulting path stays within the intended directory, an attacker can inject path traversal sequences.
For example, if an application serves profile images from /var/www/images/ and accepts a filename parameter like ?file=photo.jpg, an attacker might request ?file=../../../etc/passwd. The server resolves this to /var/www/images/../../../etc/passwd, which simplifies to /etc/passwd, returning a sensitive system file. On Windows systems, the attacker would use ..\ sequences to traverse directories.
Applications often implement basic defenses that can be bypassed through encoding tricks. URL encoding (%2e%2e%2f), double URL encoding (%252e%252e%252f), unicode encoding, and null byte injection (photo.jpg%00.png) are all techniques used to evade path traversal filters. Differences in how web servers, reverse proxies, and application frameworks normalize paths can create bypass opportunities even when individual components implement validation.
Effective defenses include resolving the canonical path of the requested file and verifying it falls within the intended base directory, using a chroot or sandboxed file system, mapping user inputs to an index of allowed files rather than using them as direct path components, and stripping or rejecting any input containing path traversal sequences.
Why It Matters
Directory traversal can expose any file readable by the application's process, including source code with embedded credentials, configuration files, private keys, and database files. Security assessments test every file-handling function for traversal vulnerabilities, including upload, download, template loading, and logging functionality.
Need your application tested? Get in touch.