OWASP Periodic Table of Vulnerabilities - Path Traversal

Return to Periodic Table Working View

Root Cause Summary
File resources are accessed using, user-supplied data, allowing a malicious user to access files that he/she is not authorized to access.

Browser / Standards Solution


Perimeter Solution
·      Canonicalize URLs and prevent directory access outside the web root.

Generic Framework Solution
·      Provide safe libraries for accessing the file system that canonicalize path references and enforce proper access control.

·      Provide a method that can compare the cononicalized path to a whitelist of paths that can be accessed by the user of the application for given access level of the application.

·      Provide safe methods that do not let the file extension be tampered with of the intended resource input.

·      Input validation to remove “..” from the user supplied data.

Custom Framework Solution


Discussion / Controversy
