What is Directory Traversal? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Directory Traversal[Back to Glossary](/glossary)Directory Traversal
===================

A vulnerability that allows attackers to access files and directories outside the intended web root by manipulating file path parameters.

vulnerabilityfile systemweb security

Directory traversal (also known as path traversal) allows an attacker to read arbitrary files on the server by manipulating file path references in the application. By injecting sequences like "../" (dot-dot-slash) into file parameters, an attacker can navigate up the directory tree and access sensitive system files such as /etc/passwd, configuration files, or application source code.

This vulnerability commonly appears in file download endpoints, template inclusion mechanisms, and any feature where user input influences which file is loaded from the filesystem. Variants include absolute path injection, null byte injection (in older systems), and URL-encoded traversal sequences that bypass basic filters.

Effective mitigations include normalizing file paths before use, restricting file access to a specific directory (chroot), and validating that resolved paths remain within the intended directory.

How APVISO tests for this: APVISO's pentester agent tests file parameters with various traversal payloads including URL-encoded variants, double-encoded sequences, and OS-specific path separators. It verifies successful traversal by detecting known file contents in responses.

Related Terms
-------------

[Local File Inclusion (LFI)](/glossary/lfi)[Remote File Inclusion (RFI)](/glossary/rfi)[OWASP Top 10](/glossary/owasp-top-10)

Test your applications for directory traversal vulnerabilities
--------------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
