This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Testing for Directory Traversal

Revision as of 09:28, 6 November 2006 by Ikkisoft (talk | contribs) (Description of the Issue)

Jump to: navigation, search

OWASP Testing Guide v2 Table of Contents

Brief Summary

Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.

Description of the Issue

Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources. Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application. The definition of the privileges is made using Access Control Lists (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server. These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common /etc/passwd into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the dot-dot-slash attack (../), path traversal, directory climbing, backtracking.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:

  • (a) Input Vectors Enumeration (a systematical evaluation of each input vector)
  • (b) Exploiting Techniques (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability).

Black Box testing and example

Testing for Topic X vulnerabilities:
Result Expected:

Gray Box testing and example

Testing for Topic X vulnerabilities:
Result Expected:



OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.