Directory Traversal

Directory Traversal (or Path Traversal) allows an attacker to read files on the server that are outside of the website's root directory, potentially exposing sensitive system files or credentials.

Attack Simulation

File Viewer App

Current Working Directory

/var/www/html/public

Requested File (Parameter)

System Output

No output...

Interactive: Click "Inject Attack Payload" to insert `../` sequences that navigate up the file system tree to reach `/etc/passwd`.

How it Works

Dot-Dot-SlashThe sequence `../` tells the operating system to move "up" one directory level.
Root EscapeBy chaining enough `../`, an attacker can escape the web folder (e.g., `/var/www/html`) and reach the system root `/`.
Sensitive AccessFiles like `/etc/passwd` (user list) or configuration files with passwords become accessible.

Prevention & Defense

Input ValidationValidate that user input contains only expected characters (alphanumeric) and strictly filter out `..` or `/`.

Use Indirect ReferencesInstead of using filenames directly (e.g., `?file=report.pdf`), use an ID map (e.g., `?id=1` maps to `report.pdf` on the server).

File System PermissionsRun the web server with limited permissions so it cannot read system files even if the code is vulnerable.