Directory traversal — also known as path traversal — is a web application vulnerability that allows attackers to read files outside the intended web root by manipulating file path parameters. When combined with file inclusion vulnerabilities, it enables attackers to execute arbitrary code on the server. Despite being a well-understood vulnerability class, path traversal appears regularly in enterprise application security assessments.
How Path Traversal Works
Web applications that accept file paths or filenames as user input are susceptible. Consider a PHP application that serves PDF reports: https://app.example.com/report?file=Q4_Report.pdf. If the backend constructs the path as /var/www/reports/ + user_input without validation, an attacker can supply ../../etc/passwd to read arbitrary files. The dot-dot sequence (../) traverses up directory levels.
Encoding bypasses make naive defenses inadequate:
%2e%2e%2f— URL encoded traversal%252e%252e%252f— Double URL encoded..%c0%af— Unicode encoding (CVE-2002-1706 Apache)....//....//— Null byte injection in languages with C string handling- Windows-specific:
..,%5c, mixed/separators
High-Value Targets for Linux/Windows Environments
Once an attacker achieves path traversal, the question becomes: what to read? On Linux systems, high-value targets include /etc/passwd and /etc/shadow (user accounts and password hashes), /etc/hosts and /etc/resolv.conf (network reconnaissance), application configuration files containing database credentials, SSH private keys in /root/.ssh/ or user home directories, and cloud metadata endpoints reachable via SSRF chaining.
On Windows systems: C:WindowsSystem32driversetchosts, C:Windows
epairsam (if accessible), application configuration files like web.config containing connection strings and API keys, and IIS log files for reconnaissance.
Local File Inclusion vs Remote File Inclusion
File inclusion vulnerabilities extend path traversal to code execution. Local File Inclusion (LFI) includes server-side files in the application's response. In PHP applications, include($_GET['page']) combined with log poisoning (injecting PHP code into Apache access logs via User-Agent headers, then including the log file) achieves remote code execution. Remote File Inclusion (RFI), when enabled by the PHP allow_url_include directive, allows inclusion of attacker-controlled remote files directly.
Remediation
Path traversal remediation requires more than stripping ../ sequences — bypass techniques render simple blacklists ineffective. Robust remediation involves: canonicalizing the path using realpath() or equivalent, then validating that the resolved path begins with the expected base directory. In code: if (!realpath($file).startsWith('/var/www/allowed/')) { deny(); }. Avoid accepting file paths from user input altogether where possible — use indirect references (IDs mapped to file paths on the server) instead of direct path parameters. Our web application penetration testing includes systematic path traversal and file inclusion testing as standard scope.