BestHub
Sign in
Information Security 6 min read

How Attackers Exploit Directory Traversal and How to Defend Against It

This article explains what directory (path) traversal is, demonstrates how attackers can read or write arbitrary files on a server by manipulating file‑path parameters, outlines common bypass techniques, and provides concrete defensive coding practices to mitigate the vulnerability.

System Architect Go
System Architect Go
System Architect Go
How Attackers Exploit Directory Traversal and How to Defend Against It

What Is Directory Traversal?

Directory traversal, also known as path traversal, is a web security flaw that allows an attacker to read (and sometimes write) arbitrary files on the server hosting the application, including source code, configuration files, credentials, and operating‑system files.

Reading Arbitrary Files via Directory Traversal

Consider an application that loads images with a URL such as: <img src="/loadImage?filename=218.png"> The filename parameter is concatenated with a base directory (e.g., /var/www/images/) to locate the file. If no validation is performed, an attacker can request:

https://insecure-website.com/loadImage?filename=../../../etc/passwd

This resolves to /etc/passwd on Unix or ..\..\..\windows\win.ini on Windows, allowing the attacker to retrieve sensitive system files.

Common Obstacles and Bypass Techniques

Many applications attempt to strip or block ".." sequences, but attackers can evade these defenses using various tricks:

Use absolute paths (e.g., filename=/etc/passwd) that do not contain traversal sequences.

Employ nested traversal strings such as ....// or ....\/, which may be normalized back to "../".

Apply non‑standard encodings like ..%c0%af or ..%252f to bypass filters.

If the application forces a specific directory prefix (e.g., /var/www/images), append traversal sequences after the prefix: filename=/var/www/images/../../../etc/passwd.

When a required file extension is enforced (e.g., .png), use a null byte to terminate the string before the extension: filename=../../../etc/passwd%00.png.

Defending Against Directory Traversal

The most effective mitigation is to avoid passing raw user input directly to filesystem APIs. When this is unavoidable, apply two layers of defense:

Strictly validate user input, preferably using a whitelist of allowed values or, at minimum, ensure the input contains only alphanumeric characters.

After validation, concatenate the input to a known base directory, normalize the resulting path using the platform's filesystem API, and verify that the normalized path still starts with the base directory.

Example in Java:

File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
    // process file
}
Directory traversal illustration
Directory traversal illustration
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

defenseVulnerabilityweb securityfile inclusionpath traversaldirectory traversal
System Architect Go
Written by

System Architect Go

Programming, architecture, application development, message queues, middleware, databases, containerization, big data, image processing, machine learning, AI, personal growth.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment