Directory traversal

What is it?

Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to read files on the victim’s system by manipulating file paths used in the application.

A simple example:

A vulnerable web application may have the endpoint /get_file?path={filepath} When a request is made, the application returns the content of the specified file. If an attacker inserts a path into {filepath} such as ../../../etc/passwd, they might get access to the system files. The application then fetches this file, and if the file contents are sent in the response, the attacker can view sensitive system information.

Remember that a payload or attack may change depending on the application and the server's file system. Directory Traversal can often lead to:

  • Sensitive data exposure

  • System information disclosure

Other learning resources:




Basic directory traversal


Reading application's own configuration files


Log exposure


Non-recursive filter bypass



Last updated