What is Directory Traversal? Complete Guide with Examples (2026)

-
What is Directory Traversal? Complete Guide with Examples (2026)
🚀 New to cybersecurity? Start here → Cybersecurity Learning Path

What is Directory Traversal? Complete Guide with Examples (2026)

By Amardeep Maroli | April 5, 2026 | Web Security, Directory Traversal, API Security | 10 min read
Directory traversal and file path security concept

Directory Traversal is a critical web security vulnerability that allows attackers to access files and directories outside the intended path. It is commonly found in poorly secured file‑handling systems and API endpoints that expose file‑download or file‑read functionality.

👉 Related concept: CSRF Attack Explained
In this post:
  1. What is Directory Traversal (Path Traversal)?
  2. How the attack works
  3. Real directory traversal attack scenario
  4. Impact of the vulnerability
  5. Common mistakes that enable it
  6. Prevention techniques
  7. Practice and lab tips
  8. FAQ for developers

What is Directory Traversal?

Directory Traversal (also known as Path Traversal) occurs when an application allows user input to control file paths without proper validation. Attackers can manipulate this input to access restricted files on the server, often outside the web root or intended directory.

Example vulnerable URL

https://example.com/file?name=report.pdf

Attacker input

../../../../etc/passwd

If the server naively concatenates the user‑provided name to a base path, it may end up reading /var/www/html/../../../../etc/passwd — which resolves to the system’s password file.

How the Directory Traversal Attack Works

  • Application reads a file path directly from user input (URL, form, API param).
  • No validation or sanitization is performed on the path.
  • Attacker injects ../ sequences to move up the directory tree.
  • Server opens and returns the requested file, which may be system files, config files, or environment variables.
On Windows systems, variations like ..\..\Windows\System32\drivers\etc\hosts can be used to achieve the same goal across different OSes.

Real Directory Traversal Scenario

An attacker finds a file‑download endpoint such as /download?file=manual.pdf. By changing the parameter to:

download?file=../../../../config/db.json

they can access configuration files that contain API keys, database credentials, or environment settings.

In more aggressive cases, this can even lead to remote code execution if the attacker can read script files, overwrite configuration, or chain it with other vulnerabilities.

Impact of Directory Traversal

  • Access to system files like /etc/passwd or C:\Windows\System32\drivers\etc\hosts.
  • Leak of sensitive configuration files, environment variables, API keys, and credentials.
  • Exposure of application source code or internal logs.
  • Potential remote code execution when combined with file‑upload or log‑injection weaknesses.

Because such attacks often have low implementation complexity but high impact, they are treated as high‑severity vulnerabilities in bug‑bounty programs and pentests.

Common Mistakes That Enable Traversal

  • Allowing direct file‑path input from users without constraints.
  • Not sanitizing or normalizing sequences like ../, ..\.., %2e%2e%2f.
  • Exposing the internal file‑system layout via predictable paths or error messages.
  • Using raw user input in constructs like readFileSync(path), file_get_contents(path), or equivalent APIs.

How to Prevent Directory Traversal

  • Never trust user input when building file paths; always validate and sanitize it.
  • Use strict allowlists of allowed filenames or short IDs instead of full paths.
  • Restrict file access to a clearly defined base directory (e.g., /uploads/ or /public/).
  • Avoid exposing raw file‑path arguments; use hashes, IDs, or tokens mapped server‑side to real paths.

Pro tips for secure file handling

  • Normalize paths before processing (resolve all ../ and join against a base directory).
  • Use secure, framework‑provided file‑handling APIs instead of raw system calls.
  • Run applications with minimal file‑system permissions.
  • Log and monitor suspicious file‑access patterns.

Practice Safely: Try It in Labs

You can safely practice directory traversal in controlled environments such as:

  • DVWA (Damn Vulnerable Web App) – offers a “File Inclusion / Path Traversal” lab.
  • PortSwigger Web Security Academy – path traversal labs with step‑by‑step guidance.

Never test on real‑world sites without explicit permission.

Conclusion

Directory Traversal is easy to exploit but also easy to fix if proper validation and safe path‑handling practices are implemented. Developers must never trust user‑controlled input when constructing file paths, always sanitize and normalize, and restrict access to a tightly controlled directory.

FAQs

What is the difference between Directory Traversal and LFI?
Directory Traversal is a type of path‑manipulation attack that lets you read files outside the intended directory; LFI (Local File Inclusion) often uses the same technique to include local files as code or templates.
Can Directory Traversal lead to remote code execution?
Yes, when combined with file‑upload, log injection, or configuration‑overwriting flaws, it can lead to RCE or full application compromise.
How do I protect an API endpoint that serves files?
Use IDs instead of raw paths, map IDs to files server‑side, normalize and validate any paths, and restrict access to a single base directory with least‑privilege permissions.

About the Author

Amardeep Maroli

MCA student and cybersecurity enthusiast from Kerala, India. I focus on API security, ethical hacking, and building secure web applications using Node.js, React, and Python. I actively work on real-world vulnerability testing, security automation, and hands-on learning in cybersecurity.

I share practical guides, real attack scenarios, and beginner-to-advanced cybersecurity knowledge to help others learn security the right way — through understanding, not just tools.

📖 Read More Posts 💻 GitHub 📢 Telegram ✉️ Contact
Privacy Policy Disclaimer Terms

Comments

Post a Comment

Popular posts from this blog

SQL Injection Explained: 5 Types, Real Examples & How to Prevent It (2026 Guide)

-
Image
What Is SQL Injection? Complete 2026 Guide — How It Works, Real Attack Examples, Types & Prevention With Code What Is SQL Injection? Complete 2026 Guide — How It Works, Real Attack Examples, Every Type & Prevention Code By Amardeep Maroli | April 8, 2026 | SQL Injection, Web Security, Developer Guide | 16 min read Home About Contact SQL injection has been the most exploited web vulnerability for over two decades — and it is still responsible for some of the largest data breaches every year. The 2021 LinkedIn leak of 700 million records, the 2020 Marriott breach, and thousands of smaller incidents every month all trace back to the same root cause: user input being trusted and executed as part of a database query. It sits at position A03 in the OWASP Top 10 — the globally recognised list of the most critical web application security risks. Yet despite being well-documented for 25 years, it kee...
Read more

Penetration Testing Guide: Real-World Methodology (Recon to Exploitation) [2026]

-
Image
What is Penetration Testing? Complete Beginner Guide 2026 — How It Works, Types, Tools & Career What is Penetration Testing? Complete Beginner Guide 2026 — How It Works, All Types, Real Tools & Career Roadmap By Amardeep Maroli  |  April 10, 2026  |  Penetration Testing, Ethical Hacking, Cybersecurity  |  16 min read Home About Contact At 2:17 AM on a Tuesday, a penetration tester was three days into an engagement with a mid-sized fintech company that processed billions in annual transactions. The company had firewalls, endpoint detection, multi-factor authentication, and quarterly vulnerability scans. Their security team believed they had things locked down. The tester had just chained three seemingly minor findings together: an API endpoint returning verbose error messages, an internal Jenkins server with default credentials accessible via a misconfigured VPN split-tu...
Read more

Phishing Scams in 2026: How They Work & How to Avoid Them

-
Image
What is Phishing? Types, Real Examples & How to Spot Every Attack (2026 Guide) What is Phishing? Every Type Explained with Real Examples & How to Spot Every Attack (Complete 2026 Guide) By Amardeep Maroli  |  April 9, 2026  |  Phishing, Social Engineering, Cybersecurity  |  15 min read Home About Contact In February 2024, a finance employee at a multinational company in Hong Kong received a video call from his CFO. The CFO asked him to authorise a series of urgent transfers totalling $25 million. The employee was nervous about the large amount but recognised the CFO's face, voice, and mannerisms on the call. Several other colleagues were also on the call — the employee could see their faces and hear their voices too. Every person on that call except the employee was a deepfake generated by AI. The $25 million was transferred and never recovered. That incident ill...
Read more