IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Learn
  3. Path Traversal (Directory Traversal)
Access ControlHigh

Path Traversal (Directory Traversal)

Also known as: Path Traversal · Directory Traversal · LFI

Path Traversal occurs when an application uses user-supplied input to build a filesystem path without properly neutralizing traversal sequences such as ../. This lets an attacker access files outside the intended directory - configuration files, secrets, or source code - and in some cases write files, which can lead to code execution.

CWE
CWE-22
OWASP
A01:2021
CAPEC
CAPEC-126

How it works

  1. 1The application builds a file path from user input (download, include, template, avatar).
  2. 2Traversal sequences are not neutralized or canonicalized.
  3. 3The attacker supplies ../ sequences (or encoded variants) to escape the base directory.
  4. 4The server reads or writes a file outside the intended scope.

Example

GET /download?file=../../../../etc/passwd HTTP/2
Host: target.example

# Returns the contents of /etc/passwd
Escaping the intended download directory.

Impact

Path traversal can disclose credentials, keys, and source code, and - where writes are possible - lead to remote code execution.

Remediation

  • Canonicalize the resolved path and verify it stays within an allowlisted base directory.
  • Avoid passing user input to filesystem APIs; use opaque identifiers mapped server-side.
  • Decode input fully before validation to defeat encoding bypasses.

Detection & testing

Test file parameters with traversal sequences and encoded variants; confirm whether resolved paths escape the intended root.

Impactr tests for Path Traversal (Directory Traversal) the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.

Test my app for Path Traversal

Tools

ImpactrBurp Suiteffufdotdotpwn

Frequently asked questions

Is LFI the same as path traversal?

Local File Inclusion (LFI) is a closely related outcome where traversal lets an attacker include and sometimes execute local files. Path traversal is the underlying weakness that enables it.

Related concepts

Server-Side Request Forgery (SSRF)XML External Entity Injection (XXE)Broken Access Control
← All vulnerabilities
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub