AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page
  • What is it?
  • Checklist
  • Exploitation
  • Tools

Was this helpful?

  1. Common vulns
  2. File Inclusion
  3. Local file inclusion

Directory traversal

PreviousLocal file inclusionNextCommand injection

Last updated 1 year ago

Was this helpful?

What is it?

Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to read files on the victim’s system by manipulating file paths used in the application.

A simple example:

A vulnerable web application may have the endpoint /get_file?path={filepath} When a request is made, the application returns the content of the specified file. If an attacker inserts a path into {filepath} such as ../../../etc/passwd, they might get access to the system files. The application then fetches this file, and if the file contents are sent in the response, the attacker can view sensitive system information.

Remember that a payload or attack may change depending on the application and the server's file system. Directory Traversal can often lead to:

  • Sensitive data exposure

  • System information disclosure

Other learning resources:

PortSwigger:

Checklist

Exploitation

Basic directory traversal

../../../../etc/passwd

Reading application's own configuration files

../../webapp/config/database.ini

Log exposure

../../../../var/log/apache2/access.log

Non-recursive filter bypass

..././..././..././..././..././..././etc/passwd

Tools

https://portswigger.net/web-security/file-path-traversal
LogoGitHub - wireghoul/dotdotpwn: DotDotPwn - The Directory Traversal FuzzerGitHub