Directory Traversal

What is Directory Traversal

Directory Traversal also known as Path Traversal is a vulnerability which allows an attacker to view arbitrary files that is stored in the server where the vulnerable application is running.

These files might include:

Application code and data.
Credentials for back-end systems.
Sensitive operating system files.

Testing for Path Traversal

Input Vector Enumeration

Enumerate all parts of the application that accept content from the user.
- HTTP GET queries
- HTTP POST queries
- File uploads section
- HTML forms
Example Checks
- Are there request parameters which could be used for file-related operations?
- Are there unusual file extensions?
- Are there interesting variable names?
  http://example.com/getUserProfile.jsp?item=ikki.html
  http://example.com/index.php?file=content
  http://example.com/main.cgi?home=index.htm
- Is it possible to identify cookies used by the web application for the dynamic generation of pages or templates?
  Cookie:ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
  Cookie:USER=1826cc8f:PSTYLE=GreenDotRed

PreviousFile Inclusion NextSQL Injection

Last updated 6 months ago