Directory Traversal

Directory traversal (also known as path traversal) allows an attacker to read arbitrary files on the server by manipulating file path references in the application. By injecting sequences like "../" (dot-dot-slash) into file parameters, an attacker can navigate up the directory tree and access sensitive system files such as /etc/passwd, configuration files, or application source code.

This vulnerability commonly appears in file download endpoints, template inclusion mechanisms, and any feature where user input influences which file is loaded from the filesystem. Variants include absolute path injection, null byte injection (in older systems), and URL-encoded traversal sequences that bypass basic filters.

Effective mitigations include normalizing file paths before use, restricting file access to a specific directory (chroot), and validating that resolved paths remain within the intended directory.

How APVISO tests for this: APVISO's scanner agent tests file parameters with various traversal payloads including URL-encoded variants, double-encoded sequences, and OS-specific path separators. It verifies successful traversal by detecting known file contents in responses.