Path Traversal

Path Traversal is a critical vulnerability that allows attackers to access files and directories outside the intended web root. By manipulating file paths with sequences like ../, attackers can read sensitive system files, configuration data, and potentially achieve remote code execution.

HIGH SEVERITYOWASP Top 10 #1CWE-225 Techniques

🧪 Interactive Path Traversal Lab

Select a Path Traversal technique and practice file access attacks in a safe environment

Select Path Traversal Attack Type

Choose an attack technique to practice different Path Traversal vectors

📂

Basic Path Traversal

Simple directory traversal using ../ sequences

BEGINNER1 attack

🎯

Absolute Path Access

Access files using absolute paths

BEGINNER2 attack

🔐

Encoding Bypass

Bypass filters using various encoding techniques

INTERMEDIATE2 attack

🛡️

Filter Bypass

Advanced techniques to bypass path traversal filters

ADVANCED2 attack

🔄

Nested Traversal

Complex nested path traversal attacks

EXPERT2 attack

📖

Quick Reference

Always available while working

⚠️Notable Path Traversal CVEs (2020-2025)

CVE-2024-238979.8

Jenkins - Arbitrary file read via path traversal in CLI command parser

→ Remote code execution & credential theft

CVE-2024-273488.8

Apache HugeGraph - Path traversal in file upload

→ Arbitrary file access & data exfiltration

CVE-2024-340010.0

Palo Alto Networks PAN-OS - Command injection via path traversal

→ Critical unauthenticated remote code execution

CVE-2024-17098.6

ConnectWise ScreenConnect - Path traversal allows arbitrary file access

→ Authentication bypass & remote code execution

🔥OWASP Top 10

Position:#1

Path Traversal is part of OWASP Top 10 2021 #1 (Broken Access Control). Critical level in 30% of applications.

📊Critical Statistics

Vulnerable Web Applications:~30%

Average CVSS Score:8.8

Usually rated as HIGH or CRITICAL

RCE Risk:HIGH

Can lead to information disclosure and RCE

🛡️Quick Prevention

✓Use allowlists for file paths and validate strictly
✓Sanitize all user inputs and remove ../ sequences
✓Use realpath() to resolve and validate file paths
✓Implement proper file permissions and access controls
✓Use security headers and disable directory listing
✓Deploy WAF rules to detect traversal patterns

📚Resources

VulnSign Path Traversal CWE-22: Path Traversal PayloadsAllTheThings

📚 Learn & Master Path Traversal

Comprehensive guide covering theory, bypass techniques, real-world examples, and prevention strategies

FUNDAMENTALS

🗂️

What is Path Traversal?

Path Traversal (also known as Directory Traversal) is a web security vulnerability that allows attackers to read arbitrary files on the server by manipulating file paths. Attackers use special character sequences like ../ to navigate up the directory structure and access sensitive files outside the web root.

MECHANISM

How It Works

Path Traversal attacks exploit insufficient input validation when applications construct file paths based on user input. By using special character sequences like ../ (dot-dot-slash), attackers can navigate up the directory tree and access files outside the web root, including system files, configuration files, and application source code.

❌ VULNERABLE CODE

php

1// PHP - Unsafe file inclusion
2$file = $_GET['page'];
3include("/var/www/pages/" . $file);
4
5// Attacker sends:
6?page=../../../../etc/passwd
7
8// Result: Reads /etc/passwd

✅ SECURE CODE

php

1// PHP - Secure file inclusion
2$file = basename($_GET['page']);
3$allowedFiles = ['home', 'about', 'contact'];
4
5if (in_array($file, $allowedFiles)) {
6  include("/var/www/pages/" . $file . ".php");
7}

TYPES

Types of Path Traversal

📂Basic Traversal

Simple ../ sequences to navigate directories

🎯Absolute Paths

Direct file access using full paths

🔐Encoding Bypass

URL/Unicode encoding to bypass filters

🔄Nested Bypass

Complex patterns to defeat filters

IMPACT

What Can Happen?

📂
Sensitive File Disclosure:
Access to /etc/passwd, /etc/shadow, config files, .env files, SSH keys, database credentials
💻
Source Code Disclosure:
Reading application source code, revealing business logic, API keys, and additional vulnerabilities
🔑
Credential Theft:
Stealing database passwords, API keys, OAuth tokens, and other authentication credentials
🔥
Remote Code Execution:
In some cases, combining with log poisoning or file upload can lead to RCE

BEST PRACTICES

🛡️

How to Prevent Path Traversal

✓Input Whitelisting: Input Whitelisting: Only allow predefined file names, never accept arbitrary paths
✓Path Normalization: Path Normalization: Use realpath() or similar to resolve paths and validate they're within allowed directories
✓Avoid User Input in Paths: Avoid User Input in Paths: Never use user input directly in file operations
✓File Permissions: File Permissions: Implement strict file system permissions using principle of least privilege
✓Chroot Jails: Chroot Jails: Use chroot or containerization to limit file system access

FUNDAMENTALS

🗂️

What is Path Traversal?

Path Traversal (also known as Directory Traversal) is a web security vulnerability that allows attackers to access files and directories outside of the intended directory. By manipulating file paths with sequences like ../, attackers can read sensitive files, access configuration data, and potentially achieve remote code execution.

MECHANISM

⚡

How It Works

❌ VULNERABLE CODE

php

// Vulnerable PHP code
<?php
$file = $_GET['file'];
$content = file_get_contents("/var/www/files/" . $file);
echo $content;
?>

// Attacker payload:
// ?file=../../../../etc/passwd
// ?file=../../../var/www/html/.env

✅ SECURE CODE

php

// Secure PHP code
<?php
$allowed = ['doc1.txt', 'doc2.txt', 'readme.md'];
$file = $_GET['file'] ?? 'readme.md';

if (in_array($file, $allowed)) {
    $content = file_get_contents("/var/www/files/" . $file);
    echo $content;
} else {
    die("Access denied");
}
?>

TYPES

📂

Types of Path Traversal

📂 Basic Traversal

Simple ../ sequences to navigate directories

?file=../../../etc/passwd

🎯 Absolute Paths

Direct file access using full paths

?file=/etc/passwd

🔐 Encoding Bypass

URL/Unicode encoding to bypass filters

?file=..%2f..%2fetc%2fpasswd

🔄 Nested Bypass

Complex patterns to defeat filters

?file=....//....//etc/passwd

IMPACT

What Can Happen?

📄
Sensitive File Disclosure:
Access to /etc/passwd, /etc/shadow, config files, .env files, SSH keys, database credentials
💻
Source Code Disclosure:
Reading application source code, revealing business logic, API keys, and additional vulnerabilities
🔑
Credential Theft:
Stealing database passwords, API keys, OAuth tokens, and other authentication credentials
🔥
Remote Code Execution:
In some cases, combining with log poisoning or file upload can lead to RCE

BEST PRACTICES

🛡️

How to Prevent Path Traversal

✓Input Whitelisting: Only allow predefined file names, never accept arbitrary paths
✓Path Normalization: Use realpath() or similar to resolve paths and validate they're within allowed directories
✓Avoid User Input in Paths: Never use user input directly in file operations
✓File Permissions: Implement strict file system permissions using principle of least privilege
✓Chroot Jails: Use chroot or containerization to limit file system access

// Vulnerable PHP code <?php $file = $_GET['file']; $content = file_get_contents("/var/www/files/" . $file); echo $content; ?> // Attacker payload: // ?file=../../../../etc/passwd // ?file=../../../var/www/html/.env

// Secure PHP code <?php $allowed = ['doc1.txt', 'doc2.txt', 'readme.md']; $file = $_GET['file'] ?? 'readme.md'; if (in_array($file, $allowed)) { $content = file_get_contents("/var/www/files/" . $file); echo $content; } else { die("Access denied"); } ?>