Path Traversal (Directory Traversal)
Also known as: Path Traversal · Directory Traversal · LFI
Path Traversal occurs when an application uses user-supplied input to build a filesystem path without properly neutralizing traversal sequences such as ../. This lets an attacker access files outside the intended directory - configuration files, secrets, or source code - and in some cases write files, which can lead to code execution.
How it works
- 1The application builds a file path from user input (download, include, template, avatar).
- 2Traversal sequences are not neutralized or canonicalized.
- 3The attacker supplies ../ sequences (or encoded variants) to escape the base directory.
- 4The server reads or writes a file outside the intended scope.
Example
GET /download?file=../../../../etc/passwd HTTP/2
Host: target.example
# Returns the contents of /etc/passwdImpact
Path traversal can disclose credentials, keys, and source code, and - where writes are possible - lead to remote code execution.
Remediation
- Canonicalize the resolved path and verify it stays within an allowlisted base directory.
- Avoid passing user input to filesystem APIs; use opaque identifiers mapped server-side.
- Decode input fully before validation to defeat encoding bypasses.
Detection & testing
Test file parameters with traversal sequences and encoded variants; confirm whether resolved paths escape the intended root.
Impactr tests for Path Traversal (Directory Traversal) the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.
Test my app for Path TraversalTools
Frequently asked questions
Is LFI the same as path traversal?
Local File Inclusion (LFI) is a closely related outcome where traversal lets an attacker include and sometimes execute local files. Path traversal is the underlying weakness that enables it.