Directory Traversal

Directory traversal attacks exploit insufficient validation of user-supplied file paths in web applications. When an application uses user input to construct file system paths (for example, to serve files, load templates, or process uploads), an attacker can inject path traversal sequences such as ../ (or .. on Windows) to break out of the intended directory and access arbitrary files on the server.

Common targets of directory traversal attacks include sensitive configuration files (such as /etc/passwd on Linux or web.config on Windows), application source code, database credential files, log files containing sensitive data, and SSH private keys. Access to these files can provide attackers with credentials, system information, and other data that facilitates further attacks.

Attackers use various techniques to bypass basic protections, including URL encoding (..%2F), double URL encoding (..%252F), null byte injection (..%00), and Unicode variations. Some applications attempt denylist-based filtering of ../ sequences, but these can often be circumvented using alternative encodings or OS-specific path representations.

Effective defences include using a allowlist of permitted files and mapping user inputs to predefined file identifiers rather than using direct file paths, normalising and canonicalising paths before validation, running the application with minimal file system permissions, implementing chroot jails or containerisation to limit the file system scope, and avoiding the use of user input in file system operations wherever possible.