How to Fix Path Traversal in ASP.NET
Learn how to prevent and fix Path Traversal vulnerabilities in ASP.NET applications. Step-by-step guide with code examples, security checklists, and best practices.
What Is Path Traversal?
Path Traversal (also known as directory traversal or dot-dot-slash attacks) is a vulnerability that allows attackers to read, and sometimes write, arbitrary files on the server by manipulating file path references. The attack uses special characters like `../` (parent directory) to navigate outside the intended directory.
For example, if an application serves files from `/app/uploads/` based on user input, an attacker might request `../../../etc/passwd` to read the system's password file. The vulnerability occurs when applications use user-supplied input to construct file paths without proper validation or sandboxing.
In Node.js applications, path traversal can occur in: file upload/download handlers that use user-supplied filenames; static file serving that does not properly restrict the base directory; template rendering that accepts user-controlled template paths; and API routes that read configuration files based on user input. Next.js API routes and server components that handle file operations are potential attack surfaces.
Why It Matters
Path traversal can expose the entire server filesystem to an attacker. Sensitive files that might be accessed include application source code, configuration files with database credentials and API keys, environment files (.env), private keys and certificates, user-uploaded data belonging to other users, and operating system files. If write access is also possible, attackers can overwrite configuration files, inject malicious code, or create web shells. In containerized environments, path traversal might allow container escape if not properly sandboxed.
How to Fix It in ASP.NET
Never use user-supplied input directly in file path construction. Use a whitelist of allowed filenames or identifiers that map to actual file paths. Resolve the final path using `path.resolve()` and verify it falls within the expected base directory. Strip or reject path traversal sequences (../, ..\, and URL-encoded variants). Use `path.basename()` to extract just the filename from user input. Implement chroot jails or use containerization to limit filesystem access. Set restrictive file system permissions -- the application should only have access to directories it needs. For file uploads, generate random filenames rather than using user-supplied names.
ASP.NET-Specific Advice
- Razor syntax auto-encodes output by default. Never use `@Html.Raw()` with unsanitized user content.
- Use Entity Framework with LINQ queries or parameterized SQL. Never use string interpolation in `FromSqlRaw()` calls.
- ASP.NET includes anti-forgery token validation. Use `[ValidateAntiForgeryToken]` on all POST actions and include `@Html.AntiForgeryToken()` in forms.
- Use Data Annotations (`[Required]`, `[StringLength]`, `[RegularExpression]`) and `ModelState.IsValid` for input validation.
ASP.NET Security Checklist for Path Traversal
ASP.NET Security Best Practices
Razor syntax auto-encodes output by default. Never use `@Html.Raw()` with unsanitized user content.
Use Entity Framework with LINQ queries or parameterized SQL. Never use string interpolation in `FromSqlRaw()` calls.
ASP.NET includes anti-forgery token validation. Use `[ValidateAntiForgeryToken]` on all POST actions and include `@Html.AntiForgeryToken()` in forms.
Use Data Annotations (`[Required]`, `[StringLength]`, `[RegularExpression]`) and `ModelState.IsValid` for input validation.
Use ASP.NET Identity for authentication with proper password hashing (PBKDF2 by default). Never implement custom password storage.
Configure HTTPS redirection and HSTS in `Program.cs`. Use `app.UseHttpsRedirection()` and `app.UseHsts()` in production.
Use `[Authorize]` attributes and policy-based authorization for route-level and action-level access control.
Implement rate limiting using ASP.NET Core's built-in `RateLimiter` middleware (available from .NET 7+).
Scan Your ASP.NET App with SafeVibe
Stop guessing if your ASP.NET app is vulnerable to Path Traversal. Run an automated penetration test in minutes and get actionable results.
Start Free Scan