Path Traversal

Path traversal (also known as directory traversal) is a web security vulnerability that allows attackers to read files on the server that are outside the web application's intended directory. By manipulating file path references with sequences like ../, attackers can escape the web root and access sensitive system files, application source code, configuration files containing credentials, and other critical data stored on the server.

How Path Traversal Vulnerabilities Work

Web applications frequently serve files or include content based on user-supplied parameters. A typical vulnerable pattern involves a URL like /view?file=report.pdf where the application constructs a file path by appending the parameter to a base directory. Without proper validation, an attacker can supply ../../etc/passwd to traverse up the directory tree and read arbitrary files. The ../ sequence instructs the operating system to move one directory level up, and chaining multiple sequences allows traversal to any accessible location on the filesystem.

Common Targets and Impact

Attackers exploiting path traversal typically target high-value files. On Linux systems, /etc/passwd reveals user accounts, /etc/shadow may contain password hashes, and application configuration files often contain database credentials and API keys. On Windows, targets include boot.ini, win.ini, and SAM database files. Web application source code accessed through path traversal can reveal additional vulnerabilities, business logic, and hardcoded secrets. In severe cases, path traversal combined with file upload or log poisoning can lead to remote code execution.

Bypass Techniques

Applications may attempt to block path traversal with basic filters, but attackers have developed numerous bypass techniques. URL encoding (%2e%2e%2f), double URL encoding (%252e%252e%252f), null bytes (../../../etc/passwd%00.png), and Unicode encoding can evade simple pattern matching. Nested traversal sequences (....//) survive single-pass stripping. OS-specific variations like backslashes on Windows (..) and absolute paths (/etc/passwd) may bypass Unix-focused filters.

Prevention Strategies

Effective defense against path traversal requires multiple layers. Input validation should reject any path containing traversal sequences after decoding. Applications should use a whitelist of allowed files or map user inputs to predefined file identifiers rather than using direct file paths. Filesystem-level controls can restrict the web application process to a chroot jail or container. Server configurations should deny access to sensitive directories. Regular security testing should include path traversal payloads with various encoding and bypass techniques.