Path Traversal

Path Traversal (also known as Directory Traversal or dot-dot-slash attack) is a web security vulnerability that allows an attacker to read, and in some cases write, arbitrary files on the server by manipulating file path references in application requests. It occurs when user-controllable input is used to construct filesystem paths without proper validation or sanitization, enabling the use of special character sequences such as ../ to escape the intended directory and access resources outside the web document root. Variations of this attack use different encodings — including URL encoding (%2e%2e%2f), double URL encoding (..%255c), Unicode encoding (..%c0%af), and backslash sequences (..\) on Windows — to bypass security filters that attempt to block the basic traversal pattern.

An attacker exploits Path Traversal by injecting relative path sequences or absolute file paths into parameters that the application passes to filesystem APIs, such as file download endpoints, template loaders, or static resource handlers, to read sensitive files like /etc/passwd, application source code, configuration files containing database credentials, or private cryptographic keys. A successful exploit can lead to full disclosure of confidential data, and when write access is possible, the attacker may overwrite critical files such as application configuration or code, potentially achieving remote code execution on the server. Because this vulnerability provides a direct bridge between untrusted input and the server filesystem, it is classified under OWASP Top 10 A01:2021 Broken Access Control and is consistently rated as critical in severity.

Avoid passing user-supplied input to filesystem APIs. The most effective defense is to eliminate the use of user-controllable data in file operations entirely. Where the set of accessible resources is known, use an indirection layer that maps fixed identifiers (such as numeric IDs) to actual file paths, and reject any input that does not match a known identifier.

Validate input against a strict allow list. If user input must reach a filesystem API, restrict it to a well-defined set of permitted characters — ideally alphanumeric only — and reject any input containing path separators (/, \), null bytes (%00), or dot sequences. Do not rely solely on a deny list of dangerous patterns, as attackers can use novel encodings to bypass such filters.

Canonicalize paths and verify the resolved location. After validating and appending the user-supplied filename to the expected base directory, use a platform-provided canonicalization function (such as java.io.File.getCanonicalPath() in Java or realpath() in C) to resolve the full path. Then verify that the resulting canonical path starts with the expected base directory before proceeding with the file operation.

Apply the principle of least privilege. Run the application process with the minimum filesystem permissions required. Use operating-system-level sandboxing mechanisms — such as chroot jails, AppArmor, or SELinux — to restrict which directories and files the application can access, limiting the impact of a successful traversal attack.

Reject filenames with directory separators and multiple dots. When accepting filenames, use a stringent allow list that limits the character set and, if feasible, permits only a single dot character in the filename to prevent extension manipulation. Exclude all directory separator characters to ensure the filename cannot reference a path outside the intended directory.