Path Traversal
detect, understand, remediate
Path traversal (directory traversal) allows attackers to access files and directories outside the intended web root by manipulating file path references with sequences like "../".
No credit card required. Free plan available forever.
What is path traversal?
Path traversal, also known as directory traversal or the dot-dot-slash attack, is a vulnerability that allows attackers to manipulate file path references to access files and directories outside the application's intended root directory. By injecting sequences such as ../ into file parameters, attackers can navigate the server's filesystem to read sensitive files they should not have access to.
A successful path traversal attack can expose critical system files such as /etc/passwd, application configuration files containing database credentials, source code, private keys, and other sensitive data stored on the server. In some cases, attackers can also write to arbitrary file paths, enabling code execution or application defacement.
Path traversal vulnerabilities commonly appear in file download endpoints, image serving functions, template rendering, and any functionality that constructs file paths from user-supplied input. Attackers frequently combine path traversal with encoding techniques (URL encoding, double encoding, and null byte injection) to bypass basic filtering attempts.
How it works
File served via parameter
The application serves files based on a user-supplied parameter, such as a filename in a URL query string or POST body (e.g. ?file=report.pdf).
Inject traversal sequences
Attacker replaces the filename with ../ sequences to navigate up the directory tree (e.g. ?file=../../../etc/passwd).
Path resolves outside web root
The server resolves the manipulated path and accesses a file outside the intended directory, bypassing the application's expected file scope.
Sensitive files returned
Configuration files, credentials, source code, private keys, or system files are returned to the attacker in the HTTP response.
Common causes
User input in file paths
Using user-supplied input directly in file path construction without validating or sanitising it against directory traversal sequences.
Insufficient path canonicalization
Failing to resolve the final absolute path and verify it falls within the allowed directory before serving the file to the user.
No base directory restriction
Not enforcing that resolved file paths must be within a specific base directory, allowing navigation to any location on the filesystem.
Allowing encoded traversal sequences
Failing to decode and normalise input before validation, enabling bypasses via URL encoding (%2e%2e%2f), double encoding, Unicode, or null byte injection.
How to detect it
Automated detection
- SecPortal's authenticated scanner tests path traversal with multiple encoding bypass techniques including URL encoding, double encoding, and null byte injection
- Identifies file inclusion endpoints and tests varying depths of ../ sequences to determine whether filesystem navigation is possible
- Code scanning detects insecure file path construction patterns in source code before they reach production
Manual testing
- Attempt to access known files such as ../../../etc/passwd (Linux) or ..\..\..\windows\win.ini (Windows) through file parameters
- Test encoded variations: %2e%2e%2f, %252e%252e%252f, ..%00/ (null byte), and ..%c0%af to bypass input filters
- Identify all endpoints that accept file names or paths and systematically test each with traversal payloads at varying depths
How to fix it
Validate and canonicalize file paths
Resolve the absolute path of the requested file and verify it starts with the expected base directory. Use realpath() or equivalent before serving any file.
Use an allow-list of permitted files
Map user input to an index or identifier that references a predefined list of allowed files, rather than using the input as a direct file path.
Restrict to a base directory
Enforce that all file operations are confined to a specific directory. Reject any resolved path that does not begin with the authorised base path.
Reject path separator characters
Strip or reject input containing path separators (/, \), dot sequences (..), and encoded variants before processing. Apply validation after URL decoding.
Use chroot or sandboxing
Isolate the application's file access using chroot jails, containers, or OS-level access controls so that even successful traversal cannot reach sensitive system files.
Compliance impact
Related vulnerabilities
Detect path traversal automatically
SecPortal tests for directory traversal with encoding bypasses and file inclusion attacks. Start scanning for free.
No credit card required. Free plan available forever.