OWASP Periodic Table of Vulnerabilities - Path Traversal

Jump to: navigation, search

Return to Periodic Table Working View

Path Traversal

Root Cause Summary

File resources are accessed using references constructed from user-supplied data, allowing a malicious user to access files outside the web root that were not intended to be exposed.

Browser / Standards Solution


Perimeter Solution

Perimeter and platform technologies should canonicalize all URLs and path references, replacing relative paths with absolute paths wherever possible.

The platform should be deployed with permissions that prevent the web server process from accessing files outside the web root.

Generic Framework Solution

The framework should provide safe libraries for accessing the file system that canonicalize path references, enforce proper access control, and prevent direct access to the filesystem. The libraries should have the following features:

  • Canonicalization of file and path names, properly transforming null bytes and relative paths before all other processing takes place
  • A configuration-based whitelist of directories that are allowed to be accessed by the application
  • A role-based access control list to further limit access to whitelisted directories
  • A configuration-based whitelist of file extensions that may be accessed

Custom Framework Solution


Custom Code Solution


Discussion / Controversy



Path Traversal
Path Traversal (WASC)
Path Traversal (CWE)