This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Relative Path Traversal"

From OWASP
Jump to: navigation, search
(Categories)
Line 43: Line 43:
 
{{Template:Stub}}
 
{{Template:Stub}}
  
[[Category: Resource Manipulation]]
+
[[:Category: Resource Manipulation]]

Revision as of 14:16, 27 July 2007

This is an Attack. To view all attacks, please see the Attack Category page.


This attack is a variant of Path Traversal and can be exploited when the application accepts the use of relative traversal sequences such as "../".

More detailed information can be found on Path_Traversal

Examples

The following URLs are vulnerable to this attack:

 http://some_site.com.br/get-files.jsp?file=report.pdf  
 http://some_site.com.br/get-page.php?home=aaa.html  
 http://some_site.com.br/some-page.asp?page=index.html  

A simple way to execute this attack is like this:

 http://some_site.com.br/get-files?file=../../../../some dir/some file  
 http://some_site.com.br/../../../../etc/shadow  
 http://some_site.com.br/get-files?file=../../../../etc/passwd 


Related Threats

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page. Category: Information Disclosure


Related Attacks


Related Vulnerabilities

Category:Input Validation Vulnerability


Related Countermeasures

Category:Input Validation


Categories

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.Category: Resource Manipulation