Directory traversal (path traversal) is a web vulnerability that lets a malicious hacker access and view files located in the web server file system but outside of the web application’s document root folder.
Severity: |
![]() ![]() |
medium severity |
Prevalence: |
![]() |
discovered rarely |
Scope: |
![]() ![]() |
appears only in web-related software |
Technical impact: | access to sensitive information | |
Worst-case consequences: | follow-up with other attacks | |
Quick fix: | do not use filenames from user input |
Source code files that make up a website or web application are located on a web server file system in a location that is called the web document root (web root folder). The primary document root usually contains subdirectories for each website and web application. For example, on a Linux/UNIX server with the Apache web server software, the default root folder is /var/www/ and on a Microsoft Windows server with IIS, the default document root is C:\inetpub\wwwroot.
Developers sometimes need to write application code that directly accesses files stored somewhere in the document root directory or a subdirectory. For example, a developer may want to store images uploaded by users and then allow other users to display them. A user input parameter would then contain the image filename from /var/www/my_app/images/, and the application would open a particular image and display it on-screen.
Directory traversal vulnerabilities happen when a malicious user can include an arbitrary file path in user input and use special characters to access files from a different directory on the server. Special characters used for this are dot-dot-slash combinations: ../ for Linux/UNIX or ..\ for Windows. These combinations allow access to parent directories from a relative path.
While directory traversal is a typical web application vulnerability, it is most often found in embedded web software, for example, device management software or remote administration interfaces. Some path traversal vulnerabilities are even attributed to web servers themselves.
Path traversal vulnerabilities are often confused with local file inclusion (LFI), which is a similar but distinct vulnerability:
To add to the confusion, the two very often appear together and also have exactly the same cause: the developer allowing paths to local files to be passed as part of user input.
Below is a simple example of PHP source code with a directory traversal vulnerability and a path traversal attack vector on an application that includes this code.
The developer of a PHP application wants the user to be able to read poems stored in text files on the web server. These poems in text files are uploaded by other users and stored in a relative poems directory – the absolute path to the images directory is /var/www/my_app/poems/. The following is a code snippet from the poems/display.php file, which displays the poem as part of the HTML.
<?PHP
$file = $_GET["file"];
$handle = fopen($file, 'r');
$poem = fread($handle, 1);
fclose($handle);
echo $poem;
?>
As you can see, the filename is taken directly from the GET HTTP request received from the user. Therefore, you can access and display a poem called poem.txt using the following URL:
http://example.com/my_app/display.php?file=poem.txt
The attacker abuses this script by manipulating the GET request using the following payload:
http://example.com/my_app/display.php?file=../../../../etc/passwd
The display.php script goes four levels up in the directory structure to the Linux root directory, then to the /etc/ directory, and then exposes the passwd file, which contains all the names of operating system users on this server:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
(...)
The only direct consequence of a directory traversal attack is access to sensitive information. This sensitive information may be used directly or to follow up with other attacks. If there is sensitive information stored in files on the server, for example, confidential photos of documents or sensitive data in text files, the attacker can find and access such files.
In other cases, directory traversal attacks are used to access typical files that exist on many web servers. Attackers can then use the information from these files to find other appsec attack methods, which may ultimately lead to full server compromise.
Because the web server and its applications access files using the limited permissions of the system account used for the web server process, certain sensitive files such as /etc/shadow (Linux/UNIX password file with hashes), as well as restricted directories, are usually not accessible as a result of a directory traversal attack.
Here are some files that are often the target of directory traversal attacks on Linux-based web servers. All these files are always readable by all operating system users:
Note that directory traversal is very easy to automate via a technique called fuzzing, which involves automatically sending typical attack payloads to the target. Attackers can use dedicated fuzzing apps such as DotDotPwn, so very little technical knowledge is required for such an attack.
The best way to detect directory traversal vulnerabilities depends on whether they are already known or unknown.
There are several methods that allow you to prevent directory traversal vulnerabilities in your code:
The above methods are available in every programming language and therefore every developer can easily prevent directory traversal vulnerabilities by using secure coding techniques. There is no excuse for leaving your application vulnerable to directory traversal.
Note: Do not use blacklisting, encoding, or methods of input validation such as filtering to prevent directory traversal. For example, don’t try to limit or enforce file extensions or block special character sequences. Attackers can use a variety of tricks, such as URL encoding, to bypass such filters.
Methods to mitigate directory traversal attacks will differ depending on the type of software:
In the case of zero-day directory traversals in third-party software, you can apply temporary WAF (web application firewall) rules for mitigation. However, this only makes the directory traversal harder to exploit and does not eliminate the problem.
Classification | ID |
---|---|
CAPEC | 126 |
CWE | 23 |
WASC | 33 |
OWASP 2021 | A1 |
Directory traversal (path traversal) is a web vulnerability that lets a malicious hacker access and view files located in the web server file system but outside of the web application’s document root folder.
The only direct consequence of a directory traversal attack is access to sensitive information. This sensitive information may be used directly or to follow up with other attacks using privilege escalation.
To avoid directory traversal and many other vulnerabilities, follow secure programming habits and never trust user input. If you need to use filenames, use a whitelist of allowed names and locations.