Path Traversal (Directory Traversal)

Path Traversal (also known as Directory Traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.

---

1. Overview

The attack occurs when an application uses user-supplied input to construct a file path in an unsafe way. By manipulating the input, an attacker can move outside the application's intended root directory.

---

2. Attack Mechanism

The core of the attack lies in the use of the ../ (dot-dot-slash) sequence, which is a special directive used to move up one level in the directory hierarchy.

• Normal Request: https://example.com/view?file=report.pdf
  • Server-side path: /var/www/app/storage/report.pdf
• Malicious Request: https://example.com/view?file=../../../../etc/passwd
  • Server-side path: /etc/passwd (Accessing sensitive system files)

---

3. Vulnerable Code Example (Node.js/Express)

const fs = require('fs');
app.get('/download', (req, res) => {
  const fileName = req.query.file;
  // Vulnerable: Directly concatenating user input to path
  const filePath = `/var/www/app/public/files/${fileName}`;
  res.sendFile(filePath);
});

---

4. Prevention Strategies

1. Input Validation: Use an allow-list of permitted characters (e.g., alphanumeric only) and reject anything containing .. or /.
2. Path Canonicalization: Resolve the absolute path of the requested file and verify that it starts with the expected base directory.
3. Filesystem Permissions: Run the web server with the least privilege necessary, ensuring it cannot access sensitive system folders.
4. Indirect File References: Instead of accepting filenames, use unique IDs mapped to files in a secure database or lookup table.