| Context | Example Scenario | |---------|------------------| | | https://example.com/view?file=-template-..-2F..-2F..-2F..-2Froot-2Fpasswd | | HTTP POST/GET parameters | Template engine parameter accepting a relative include path | | Server access logs | As a requested resource with path traversal | | File upload filenames | Malicious filename attempting to break out of upload directory | | Cookie values | Encoded payload in a session variable used to load templates |
Developers often implement weak filters that attackers can easily circumvent. Below are common defensive mistakes and how they fail: 1. Stripping ../ Non-Recursively
: By repeating ..-2F multiple times, the attacker is attempting to "climb" out of the intended web folder and reach the server's root directory . -template-..-2F..-2F..-2F..-2Froot-2F
: Files containing database credentials, API keys, and encryption tokens.
: Instead of letting users request a file by name/path, use an ID or a token that maps to a specific file on the backend. : Files containing database credentials, API keys, and
os.path.normpath() resolves .. and . components. The subsequent check ensures that the resolved path still lies within the intended base directory. Similar functions exist in all programming languages: realpath() in PHP (with additional checks), path.Clean() in Go, Path.GetFullPath() in C#, and path.resolve() in Node.js.
Instead of manually concatenating strings to find files, use platform-specific functions (like Python’s os.path.basename() ) that strip out directory navigation attempts. path.Clean() in Go
That is a aiming to access /root/ directory from a web root, moving up four levels.
An attacker discovers that the application does not filter .. or URL encoding. They craft the following request:
Example safe code in Python: