5.1-Path-traversal.md

Path Traversal

Description

This vulnerability allows an attacker to read arbitrary files on the server hosting the application.

This type of vulnerability can lead to several impacts:

• Reading confidential data on the system (source code, identification information, personal information)
• Modification of file integrity (example: modify the application code to change its behavior)

Methods

Reading arbitrary files via path traversal

Linux :

https://insecure-website.com/loadImage?filename=../../../etc/passwd

Windows :

https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini

Inspired by

• Portswigger Web Security Academy - Server Side vulnerabilities apprentice
• OWASP WSTG - Testing_Directory_Traversal_File_Include

Tools

• Burp Suite community