Path traversal, also known as directory traversal, is a vulnerability that occurs when an application uses user-supplied input to construct file paths without adequate validation. By injecting sequences like ../ into file parameters, attackers can navigate outside the intended directory and access arbitrary files on the server, including configuration files, source code, and system credentials.
How It Works
Applications often serve files based on a parameter, such as /download?file=report.pdf. If the application simply appends this parameter to a base directory path without sanitization, an attacker can submit /download?file=../../../etc/passwd to traverse up the directory tree and read the system's password file. The ../ sequence instructs the operating system to move one level up in the directory hierarchy, and chaining enough of them reaches the root filesystem.
Developers often attempt to block path traversal by filtering out ../ sequences, but attackers have numerous bypass techniques. URL encoding (%2e%2e%2f), double URL encoding (%252e%252e%252f), using backslashes on Windows systems (..\\), and null byte injection (../../../etc/passwd%00.pdf) can all circumvent naive filters. Some applications normalize paths inconsistently, allowing mixed encoding or Unicode representations to slip through validation.
The impact depends on the application's file system permissions. In the worst case, path traversal provides read access to sensitive configuration files containing database credentials, API keys, or encryption secrets. When combined with file upload functionality or write operations, path traversal can escalate to remote code execution by writing malicious files to executable locations like web server directories or cron job folders.
Why It Matters
Path traversal vulnerabilities are straightforward to exploit and can expose an organization's most sensitive data in a single request. They frequently appear in file download features, template engines, and logging configurations. Proper remediation requires canonicalizing paths and validating that the resolved path falls within the expected directory, rather than relying on blocklists that attackers can bypass.
Need your application tested? Get in touch.