Path traversal (directory traversal) is a vulnerability where an application builds a file path from user input without restricting it. An attacker then uses ../ sequences to escape the intended directory and read (or sometimes write) files elsewhere on the server, such as /etc/passwd or application secrets. The fix is to map choices to a server-side allow-list and confirm the resolved path stays inside an allowed base directory.
What path traversal is
Applications often serve or read files based on user input, for example ?file=report.pdf reading /var/app/files/report.pdf. Path traversal is when an attacker supplies a path that climbs out of that base directory.
The sequence ../ means "parent directory," so ../../../../etc/passwd walks up to the filesystem root and back down to a sensitive file. The application, building the path from raw input, happily reads whatever the attacker names.
How it works and example
The attacker manipulates the filename or path parameter:
- Read a system file:
?file=../../../../etc/passwd - On Windows:
?file=..\..\..\windows\win.ini - Bypass naive filters with encoding (
%2e%2e%2f), double encoding, or....//(which collapses to../after one round of stripping). - Reach application config and secrets relative to the base directory.
Where the app also writes based on the path, traversal can overwrite files. Examples shown for defensive context.
How to fix it
- Avoid user-controlled paths. Map user choices to a server-side allow-list of files (an ID to a known filename), not a raw path.
- Canonicalise and confirm containment: resolve the absolute path and check it begins with the intended base directory before accessing it.
- Decode before validating so encoded traversal cannot slip through.
- Run with least privilege so the process cannot read sensitive files even if traversal occurs.
- Test every file parameter for traversal.
References
- [1]OWASP: Path Traversal(OWASP)
- [2]MITRE CWE-22: Improper Limitation of a Pathname to a Restricted Directory(MITRE CWE)
- [3]OWASP Top 10(OWASP)