Contact Us Today 01642 716680

Directory Traversal

Definition: Directory traversal, also known as path traversal, refers to a web security vulnerability that allows an attacker to access restricted directories and execute commands outside of the web server's root directory.

Directory traversal is considered a serious risk. It occurs when insufficient security validation is not in place, enabling attackers to exploit the system by manipulating variables that reference files with dot-dot-slash (../) sequences and other methods, to navigate to folders not intended to be accessible through the web application. This could potentially allow the attacker to view, execute, or manipulate files on the file system.

The exploitation of directory traversal vulnerabilities can lead to information disclosure, website defacement, server compromise, and in some cases, the execution of malicious commands. Adequate prevention measures include input validation, use of allowlists for file retrieval, proper configuration of web server permissions, and sanitizing user input to prevent the use of file system navigation characters.

As web applications continue to be a critical component of business operations, maintaining vigilance against directory traversal and other similar vulnerabilities is key to protecting sensitive data and ensuring the integrity and availability of online services.

Key Characteristics:

  • Ability to access files outside the designated directory
  • Exploits web applications lacking proper input validation
  • Can lead to information leakage or server compromise
  • Prevented by employing robust security measures in web applications


  • Real-World Example: Attackers exploited a directory traversal vulnerability in a web application to access and download the /etc/passwd file from the server, which contains a list of users that could be used for subsequent attacks.
  • Hypothetical Scenario: An online retailer’s customer service page is vulnerable to directory traversal. An attacker modifies the URL of an image request, using the ‘../’ pattern to navigate to the server’s configuration files, revealing sensitive database credentials.

Related Terms:

  • Input Validation: The method of sanitising user input to prevent directory traversal and other injection attacks.
  • File System: The system used by operating systems to control how data is stored and retrieved, which can be manipulated via directory traversal exploits.
  • Web Server: The hardware or software that provides World Wide Web services, storing, processing, and delivering web pages to users.
  • Server Compromise: An incident where an unauthorised party gains access to the server, which can occur as a result of a successful directory traversal attack.

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.