Path Traversal

Revision as of 06:05, 26 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

webmap [ lg appliances south africa ] [ os x antivirus free ] [ traditional african jewelry ] [ artichoke asiago dip ] [ presidential committee on the northeast asian cooperation initiative 2005 ] [ australias plants and animals ] asianbookie .com [ agreement auto sales ] [ auto body parts manufacure ] [ auto painting kits ] [ australian book club ] page page [ australia car classic toyota ] link [ asian caricature ] [ cnet networks australia ] [ the university of notre dame australia ] [ rockauto com ] [ auto repair minneapolis mn ] [ australia cardiopulmonary resuscitation south ] [ browning automatic pistols ] [ africa center for strategic study ] [ advertising africa in job marketing south ] [ concrete blocks australia ] [ uninstall norton antivirus corporate edition ] [ south africa bed and breakfasts ] [ norasia container lines limited ] [ beautiful asian chick ] [ ardamis monemvasia ] [ motorcycle accesories australia ] top [ barbie primp polish styling head african american ] [ automobile speaker sizes ] [ asian pacific american heritage council ] [ australia extreme korg triton ] [ home automation audio ] [ ikonaustralia.+com ] [ airline asia southeast ] [ pc magazine antivirus mcafee ] talk asia cnn index [ asian cuckolding ] [ cd key norton antivirus 2005 ] [ australia world map ] [ autocad cars ] site [ south africa gold coin ]

This is an Attack. To view all attacks, please see the Attack Category page.

Last revision (mm/dd/yy): 05/26/2009


A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. The attacker uses “../” sequences to move up to root directory, thus permitting navigation through the file system.

This attack can be executed with an external malicious code injected on the path, like the Resource Injection attack. To perform this attack it’s not necessary to use a specific tool; attackers typically use a spider/crawler to detect all URLs available.

This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

Related Security Activities

How to Avoid Path Traversal Vulnerabilities

See the OWASP Guide article on how to Avoid Path Traversal Vulnerabilities.

How to Test for Path Traversal Vulnerabilities

See the OWASP Testing Guide article on how to Test for Path Traversal Vulnerabilities.


Request variations

Encoding and double encoding:

%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../ 
%2e%2e%5c represents ..\
%2e%2e\ represents ..\ 
..%5c represents ..\ 
%252e%252e%255c represents ..\ 
..%255c represents ..\ and so on. 

Percent encoding (aka URL encoding)

Note that web containers perform one level of decoding on percent encoded values from forms and URLs.

..%c0%af represents ../ 
..%c1%9c represents ..\ 

OS specific


Root directory:  “ / “ 
Directory separator: “ / “


Root directory: “  <partition letter> : \ “
Directory separator: “ / “ or “ \ ” 
Note that windows allows filenames to be followed by extra . \ / characters.

In many operating systems, null bytes %00 can be injected to terminate the filename. For example, sending a parameter like:


will result in the Java application seeing a string that ends with ".pdf" and the operating system will see a file that ends in ".doc". Attackers may use this trick to bypass validation routines.


Example 1

The following examples show how the application deals with the resources in use.  

In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. dir/some file dir/some file 

The following URLs show examples of *NIX password file exploitation. 

Note: In a windows system an attacker can navigate only in a partition that locates web root while in the Linux he can navigate in the whole disk.

Example 2

It's also possible to include files and scripts located on external website.   

Example 3

These examples illustrate a case when an attacker made the server show the CGI source code.   

Example 4

This example was extracted from: Wikipedia - Directory Traversal

A typical example of vulnerable application code is:

$template = 'blue.php';
if ( is_set( $_COOKIE['TEMPLATE'] ) )
   $template = $_COOKIE['TEMPLATE'];
include ( "/home/users/phpguru/templates/" . $template );

An attack against this system could be to send the following HTTP request:

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd

Generating a server response such as:

HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache

root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh 

The repeated ../ characters after /home/users/phpguru/templates/ has caused include() to traverse to the root directory, and then include the UNIX password file /etc/passwd.

UNIX etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

Absolute Path Traversal

The following URLs may be vulnerable to this attack:

An attacker can execute this attack like this:

When the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls