Introduction to Directory Traversal

Directory Traversal, or path traversal, is a vulnerability in web applications that can allow an attacker to access files which they should not be able to. Such as files outside of the application web root.

The vulnerability would generally be exposed through an application parameter like this:

Here the parameter is specifying a file within a specific subdirectory of the application, such as:


An attacker can abuse this function potentially, by using relative directory moves through character sequences like “../”. The following path:


Is the equivalent of:


The “../” effectively moves the attacker up one directory, if too many of those sequences are supplied, generally any additional ones are simply ignored, so:


Is the equivalent of:


One way to test for this issue is to supply a number of relative moves for files that are known to exist, for example:

and so on...

Alternatively you could try something like:


To exploit the issue we simply place one of the payloads in the target URL:

Potentially the sequence “../” may be blocked by the application, such as through a filter implemented by the developer but potentially you could bypass this through encoding. Some possible examples for filter evasion include:


For a list of possible files to try, there’s a cheatsheet for Windows and Linux!