search

Path traversal

circle-exclamation

Before you start, it is very recommended to have basics of file system concepts (absolute vs. relative paths, path separators), operating system permission models, and how web servers and applications map URLs or input values to filesystem resources. This part may seem long, and its sections are built to be sequentially starting from the beginner level up to some advanced stuff, feel free to navigate to whatever topic you want. hack fun :)

hashtag
Understanding Path Traversal

hashtag
What is Path Traversal?

Path traversal (also known as directory traversal) is a security vulnerability that allows attackers to access files and directories outside of the intended directory structure. This occurs when applications use user-supplied input to construct file paths without proper validation or sanitization.

hashtag
Vulnerable Code Example

// PHP vulnerable file reading
$file = $_GET['file'];
$content = file_get_contents('/var/www/html/uploads/' . $file);
echo $content;

Normal Request:

  • URL: GET /view.php?file=document.pdf

  • Path: /var/www/html/uploads/document.pdf

Malicious Request:

  • URL: GET /view.php?file=../../../etc/passwd

  • Path: /var/www/html/uploads/../../../etc/passwd/etc/passwd

hashtag
How Path Traversal Works

Path traversal exploits the way operating systems handle relative path references. By using special directory references like ../ (parent directory) or absolute paths, attackers can navigate outside the intended directory structure to access sensitive files.

hashtag
Common Path Traversal Sequences

Unix/Linux Systems:

  • ../ - Parent directory

  • ./ - Current directory

  • / - Root directory

  • ~ - Home directory

  • // - Alternative root (some systems)

Windows Systems:

  • ..\ - Parent directory

  • .\ - Current directory

  • C:\ - Drive root

  • \\ - UNC path prefix

  • / - Also works on Windows

hashtag
Impact and Consequences

  • Sensitive File Access - Reading configuration files, passwords, keys

  • Source Code Disclosure - Accessing application source code

  • System Information Gathering - Reading system files, logs

  • Credential Harvesting - Accessing password files, tokens

  • Remote Code Execution - In combination with file upload vulnerabilities

  • Denial of Service - Accessing large files or system resources

hashtag
Common Vulnerable Scenarios

hashtag
File Download/View Functionality

Document Viewers:

Image Galleries:

Log File Viewers:

hashtag
File Upload Paths

Upload Directory Specification:

Template File Access:

hashtag
Include/Require Operations

Dynamic File Inclusion:

Configuration File Loading:

hashtag
Basic Path Traversal Techniques

hashtag
Simple Directory Traversal

hashtag
Basic Dot-Dot-Slash

Linux/Unix Traversal:

Windows Traversal:

hashtag
Absolute Path Access

Direct Absolute Paths:

hashtag
Mixed Traversal Techniques

Combining Relative and Absolute:

hashtag
URL Encoding Bypass

hashtag
Single URL Encoding

Basic URL Encoding:

hashtag
Double URL Encoding

Double-Encoded Sequences:

hashtag
Unicode and UTF-8 Encoding

Unicode Variations:

hashtag
Filter Evasion Techniques

hashtag
Null Byte Injection

Null Byte Termination:

hashtag
Case Variation

Mixed Case Paths:

hashtag
Alternative Separators

Different Path Separators:

hashtag
Character Substitution

Alternative Character Representations:

hashtag
Advanced Path Traversal Techniques

hashtag
Deep Directory Traversal

hashtag
Excessive Dot-Dot Sequences

Over-Traversal:

hashtag
Nested Path Construction

Complex Path Building:

hashtag
Application-Specific Bypasses

hashtag
Framework-Specific Techniques

PHP Path Traversal:

Java Path Traversal:

ASP.NET Path Traversal:

hashtag
Operating System Specific

Linux-Specific Paths:

Windows-Specific Paths:

hashtag
Filter Bypass Combinations

hashtag
Multi-Encoding Techniques

Layered Encoding:

hashtag
Whitespace and Special Characters

Whitespace Injection:

hashtag
Path Normalization Bypass

Path Segment Manipulation:

hashtag
Platform-Specific Exploitation

hashtag
Linux/Unix Systems

hashtag
System File Access

Password and Authentication:

System Configuration:

Log Files:

hashtag
Application Files

Web Server Configuration:

Database Configuration:

hashtag
Windows Systems

hashtag
System File Access

System Configuration:

User Data:

hashtag
IIS and ASP.NET Files

IIS Configuration:

Windows Services:

hashtag
Web Application Context Exploitation

hashtag
File Download Vulnerabilities

hashtag
Document Management Systems

Download Endpoint Exploitation:

PDF/Document Viewers:

hashtag
Image and Media Galleries

Image Gallery Exploitation:

hashtag
File Upload Vulnerabilities

hashtag
Upload Path Manipulation

Directory Traversal in Upload:

ZIP File Extraction (Zip Slip):

hashtag
Template and Include Vulnerabilities

hashtag
Template Engine Exploitation

Template Path Traversal:

Server-Side Include (SSI):

hashtag
Advanced Exploitation Scenarios

hashtag
Chained Attacks

hashtag
Path Traversal to RCE

File Upload + Path Traversal:

Log Poisoning + Path Traversal:

hashtag
Information Gathering Chain

Configuration Discovery:

hashtag
Container and Cloud Exploitation

hashtag
Docker Container Escape

Container File Access:

hashtag
Kubernetes Pod Escape

Service Account Access:

hashtag
Cloud Metadata Access

AWS Instance Metadata:

hashtag
Language and Framework Specific

hashtag
PHP Applications

hashtag
PHP-Specific Vulnerabilities

PHP Stream Wrappers:

Include/Require Exploitation:

hashtag
PHP Configuration Files

Common PHP Targets:

hashtag
Java Applications

hashtag
Java-Specific Paths

Java Application Files:

Class Path Traversal:

hashtag
Python Applications

hashtag
Python-Specific Files

Python Application Files:

hashtag
Python Virtual Environments

Virtual Environment Access:

hashtag
Node.js Applications

hashtag
Node.js Specific Files

Node.js Configuration:

Process and Environment:

PreviousFile upload vulnerabilitiesNextLocal File Inclusion (LFI)

Last updated

Was this helpful?