Path traversal allows attackers to access files and directories stored outside the intended directory by manipulating file path references.
Path Traversal (also known as directory traversal or dot-dot-slash attacks) is a vulnerability that allows attackers to read, and sometimes write, arbitrary files on the server by manipulating file path references. The attack uses special characters like `../` (parent directory) to navigate outside the intended directory.
For example, if an application serves files from `/app/uploads/` based on user input, an attacker might request `../../../etc/passwd` to read the system's password file. The vulnerability occurs when applications use user-supplied input to construct file paths without proper validation or sandboxing.
Path traversal can expose the entire server filesystem to an attacker. Sensitive files that might be accessed include application source code, configuration files with database credentials and API keys, environment files (.env), private keys and certificates, user-uploaded data belonging to other users, and operating system files. If write access is also possible, attackers can overwrite configuration files, inject malicious code, or create web shells. In containerized environments, path traversal might allow container escape if not properly sandboxed.
Never use user-supplied input directly in file path construction. Use a whitelist of allowed filenames or identifiers that map to actual file paths. Resolve the final path using `path.resolve()` and verify it falls within the expected base directory. Strip or reject path traversal sequences (../, ..\, and URL-encoded variants). Use `path.basename()` to extract just the filename from user input. Implement chroot jails or use containerization to limit filesystem access. Set restrictive file system permissions -- the application should only have access to directories it needs. For file uploads, generate random filenames rather than using user-supplied names.
Select your framework for a detailed guide on fixing Path Traversal with framework-specific code examples and security checklists.
Cross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users, enabling session hijacking, data theft, and defacement.
SQL Injection
SQL Injection allows attackers to interfere with database queries, potentially reading, modifying, or deleting data, and in some cases executing system commands.
Cross-Site Request Forgery (CSRF)
CSRF forces authenticated users to execute unwanted actions on a web application, exploiting the trust a site has in a user's browser.
Insecure Direct Object References (IDOR)
IDOR occurs when an application exposes internal implementation objects (like database IDs) and fails to verify that users are authorized to access the referenced resource.
Broken Authentication
Broken authentication encompasses weaknesses in session management, credential handling, and identity verification that allow attackers to compromise user accounts.
Security Misconfiguration
Security misconfiguration encompasses insecure default settings, open cloud storage, verbose error messages, unnecessary features, and missing security headers.
Sensitive Data Exposure
Sensitive data exposure occurs when applications fail to adequately protect sensitive information like credentials, tokens, personal data, or financial information.
Missing Rate Limiting
Missing rate limiting allows attackers to perform brute force attacks, credential stuffing, API abuse, and denial of service by making unlimited requests.
JWT Vulnerabilities
JWT vulnerabilities include algorithm confusion, missing validation, token leakage, and improper key management that can lead to authentication bypass.
Command Injection
Command injection allows attackers to execute arbitrary operating system commands on the server through vulnerable application interfaces.
Server-Side Request Forgery (SSRF)
SSRF allows attackers to induce the server to make HTTP requests to arbitrary destinations, potentially accessing internal services, metadata APIs, and private networks.
File Upload Vulnerabilities
Insecure file upload handling can allow attackers to upload malicious files including web shells, malware, or files that exploit server-side processing.
Insecure Deserialization
Insecure deserialization allows attackers to manipulate serialized objects to achieve remote code execution, replay attacks, injection, or privilege escalation.
Row Level Security (RLS) Bypass
RLS bypass vulnerabilities occur when database-level access policies are missing, misconfigured, or can be circumvented, exposing data across tenant boundaries.
SafeVibe runs automated penetration tests to detect Path Traversal and 14 other vulnerability types in your application.
Start Free Scan