Understanding Directory Traversal
Directory traversal (also known as path traversal or dot-dot-slash attacks) is a web security vulnerability that allows an attacker to access files and directories stored outside the web root folder on the server. By manipulating file path references in application parameters using ../ sequences, an attacker can navigate up the directory tree and read sensitive system files, application configuration files, or source code.
This vulnerability arises when an application uses user-supplied input to construct file paths without properly validating or sanitizing the input. The ../ sequence means "go up one directory" in both Unix and Windows file systems, and by chaining multiple sequences, an attacker can reach any file on the system that the web server process has permission to read.
How the Attack Works
Consider a web application that serves files based on a URL parameter:
https://example.com/view?file=report.pdfThe server-side code might construct the file path like this:
$filepath = '/var/www/html/documents/' . $_GET['file'];
readfile($filepath);If the application does not validate the file parameter, an attacker can modify the request to:
https://example.com/view?file=../../../../etc/passwdThe resulting path becomes /var/www/html/documents/../../../../etc/passwd, which resolves to /etc/passwd. On Linux systems, this file contains a list of all user accounts on the server. The attacker can then use this information to attempt further attacks.
Common Targets
Attackers typically target files that contain sensitive information:
| File Path | Contents |
|---|---|
/etc/passwd | User account information (Linux/Unix) |
/etc/shadow | Password hashes (Linux/Unix, requires root) |
/etc/hosts | Hostname mappings |
wp-config.php | WordPress database credentials |
.env | Environment variables including API keys and database passwords |
/proc/self/environ | Process environment variables (Linux) |
C:\Windows\win.ini | Windows configuration file |
web.config | IIS configuration including connection strings |
Encoding and Bypass Techniques
Attackers use various encoding techniques to bypass basic filtering:
- URL encoding:
%2e%2e%2for%2e%2e/instead of../ - Double URL encoding:
%252e%252e%252fwhen the application decodes the input twice - Unicode encoding:
..%c0%afor..%ef%bc%8fto represent the slash character - Null byte injection:
../../../etc/passwd%00.pdfto truncate the expected file extension (in older languages and systems) - Backslash substitution:
..\..\..\on Windows servers that accept both forward and back slashes - Nested traversal:
....//....//when the application strips../only once
Related Vulnerabilities
Local File Inclusion (LFI)
Local File Inclusion is closely related to directory traversal. In LFI, the application includes and executes a local file based on user input. If the included file contains PHP code (or another server-side language), it is executed by the server. Attackers can combine LFI with log poisoning (injecting PHP code into log files) to achieve remote code execution.
Remote File Inclusion (RFI)
Remote File Inclusion occurs when the application includes a file from a remote server. If the PHP directive allow_url_include is enabled, an attacker can supply a URL pointing to their malicious script, which the server downloads and executes. RFI is less common today because this directive is disabled by default in modern PHP configurations.
Prevention
Path Normalization and Validation
Resolve the full canonical path of any user-supplied file reference and verify it falls within the expected directory. In PHP, use realpath() to resolve symbolic links and ../ sequences, then check that the resulting path starts with the allowed base directory:
$base = '/var/www/html/documents/';
$path = realpath($base . $_GET['file']);
if ($path === false || strpos($path, $base) !== 0) {
die('Access denied');
}Allowlist Approach
Instead of accepting arbitrary file names from users, maintain a mapping of allowed identifiers to file paths. The user submits an ID like file=report1, and the application looks up the corresponding path in a predefined list. This eliminates path manipulation entirely.
Chroot Jails and Sandboxing
Configure the web server or application to run in a chroot jail or container that restricts file system access to a specific directory tree. Even if a traversal vulnerability exists, the attacker cannot escape the restricted environment.
Least Privilege File Permissions
Ensure the web server process runs with minimal file system permissions. It should only have read access to files it needs to serve and should not have access to sensitive system files like /etc/shadow.
WAF Protection
A Web Application Firewall detects ../ sequences and their encoded variations in HTTP requests. WAF rules normalize paths before inspection, catching URL-encoded and double-encoded bypass attempts. While a WAF provides an important defensive layer, it should complement proper input validation in your application code.
Summary
Directory traversal is a straightforward but dangerous vulnerability that allows attackers to read sensitive files from your server. Prevention requires proper path validation using canonicalization functions, allowlist approaches for file access, restrictive file permissions, and WAF rules as an additional safety net. Never trust user input when constructing file paths, and always verify that the resolved path stays within the intended directory.
Get
Started