What is Directory Traversal Attack

Directory Traversal in another and critical web application vulnerability which arises due to lack of validation from the server-side.

Directory traversal allow an attacker to read change the directory from the server and read the content of the other directories. For example, in Linux based servers the location for the webserver is /var/www/html

and if the website is inside this location then it will look like this www.example.com/

and if the attacker is able to do directory traversal attack he will use a basic command like payload and will go back to one directory or more and read the content of other directories in a simple way in command line

if you want to change your directory you use cd command and if you want to go back to one directory like from /var/www/html to /var/www/ we use cd ../ in the same way, if attacker add www.example.com/../ we will go one directory back & can read the content of that directory and if he continues adding ../../ we will go back to the directories.

Let’s take an example if the website is Linux based and as you know it will be inside /var/www/html in html folder, there is one directory called image and all images are stored inside that directory which you see on the web page www.example.com/hello.jpg and if you do ../../../../../../../ you will be inside the root directory and then you can change the directory

( it doesn’t matter how many ../ you add, if you add too many still you will be in the one directory when you reach the last )

once you are the last directory you can even change your directory like www.example.com/../../../../../../../../../../../etc/passwd in this example first, you went to the root directory and then you are trying to go inside /etc to read the passwd file.

in case of windows, you have both the option available ../ or ..\ both will work. you can even check out this payload list.

TELEGRAM GROUP for your discussion You can join our telegram channel for free ebooks and other updates. You can follow us on Twitter and Instagram.
Share it.

Leave a Reply