<aside>

Path traversal vulnerabilities allow attackers to read arbitrary files on a server running an application.

This can expose:

• Application code and data
• Credentials for back-end systems
• Sensitive operating system files

Consider a shopping application that displays product images. It might load an image using this HTML:

<img src="/loadImage?filename=218.png">

How to prevent a path traversal attack

The best defense against path traversal vulnerabilities is to avoid passing user-supplied input to filesystem APIs. Most application functions can be rewritten to achieve the same results more securely.

If you must pass user-supplied input to filesystem APIs, implement these two defensive layers:

• Validate user input before processing it. Preferably, compare the input against a whitelist of permitted values. If that's not feasible, ensure the input contains only allowed content, such as purely alphanumeric characters.
• After validation, append the input to the base directory and use a platform filesystem API to canonicalize the path. Then verify that the canonicalized path begins with the expected base directory.

Here's a simple Java code example that validates a file's canonical path based on user input:

File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
    // process file
}

directory-traversal-cheatsheet.txt

</aside>

Dirsearch

dirsearch -u TARGET.COM -e php,html,js,asp,xml,csv -w /home/onion/Documents/wordlists/directory-traversal-cheatsheat.txt