Path Traversal Attack: Definition, How It Works & Prevention | PowerWAF

How Path Traversal Attack Works

Path traversal exploits applications that use user-supplied input to construct file paths. When the application doesn't properly validate or sanitize the input, the attacker can navigate the directory structure using relative path sequences to access files outside the web root.

Identify a file-referencing parameter

The attacker finds a URL parameter, form field, or API endpoint that references files — such as ?page=about.html, ?template=header, ?file=report.pdf, or ?lang=en. Any parameter that maps to a file system path is a potential target.

Inject traversal sequences

The attacker replaces the expected value with directory traversal sequences: ../../etc/passwd on Linux or ..\..\windows\system32\config\SAM on Windows. Multiple ../ sequences climb the directory tree toward the root.

Bypass filters if present

If basic filtering exists, the attacker uses evasion techniques: URL encoding (%2e%2e%2f), double encoding (%252e%252e%252f), null bytes (..%00.html), Unicode (..%c0%af), or mixed path separators (..\../) to bypass pattern matching.

Read or execute target files

The server returns the contents of the targeted file. Commonly targeted files include /etc/passwd, /etc/shadow, application.properties, .env, wp-config.php, and web.config — revealing credentials, API keys, and system configuration.

Real-World Examples

2019

Fortinet FortiOS path traversal (CVE-2018-13379)

A path traversal vulnerability in Fortinet's SSL VPN allowed unauthenticated attackers to read system files including session tokens. Over 87,000 devices were exposed, and leaked credentials were published on hacker forums, affecting government and enterprise networks worldwide.

2021

Apache HTTP Server path traversal (CVE-2021-41773)

A critical path traversal in Apache 2.4.49 allowed attackers to access files outside the document root using URL-encoded dot-dot sequences. If mod_cgi was enabled, it also allowed remote code execution. The flaw was actively exploited within days of disclosure.

2021

Accellion FTA file transfer breach

Path traversal combined with other vulnerabilities in Accellion FTA allowed attackers to steal files from organizations including Morgan Stanley, Kroger, Shell, and multiple universities, affecting millions of individuals.

Impact & Risk Assessment

Path traversal can expose sensitive system files, application configuration with database credentials, API keys, and encryption secrets. In severe cases, it leads to remote code execution by reading application source code to find further vulnerabilities, or by writing to executable directories. The attack is ranked Critical because it directly breaches the server's file system boundary — the foundational security assumption of web applications.

How to Detect Path Traversal Attack

Monitor request URLs and parameters for ../ sequences, URL-encoded variants (%2e%2e), and null bytes. Watch for requests targeting known sensitive files (/etc/passwd, wp-config.php, .env). Analyze WAF logs for repeated traversal attempts from the same IP. Alert on unusual file access patterns in application logs. Implement file integrity monitoring on critical system files.

How to Prevent Path Traversal Attack

Never use user input directly in file path operations. Maintain an allowlist of permitted files rather than trying to block malicious patterns. Use a chroot jail or containerization to isolate the application's file system view. Strip or reject any input containing path separators (/ and \) and traversal sequences. Resolve the canonical (absolute) path and verify it falls within the expected base directory. Run the application with minimal file system permissions — the web server user should only access what's strictly necessary.

Code Examples

Vulnerable: Direct Path Concatenation
# VULNERABLE: user input used directly in file path
@app.route('/view')
def view_file():
    filename = request.args.get('file')
    filepath = f'/var/www/uploads/{filename}'
    return send_file(filepath)

# Attacker request:
# /view?file=../../../../etc/passwd

Secure: Path Validation with Canonical Check
import os

BASE_DIR = '/var/www/uploads'

@app.route('/view')
def view_file():
    filename = request.args.get('file', '')

    # Reject any path separators in the filename
    if os.sep in filename or '/' in filename:
        abort(400, 'Invalid filename')

    # Resolve the canonical path and verify it's within BASE_DIR
    filepath = os.path.realpath(os.path.join(BASE_DIR, filename))
    if not filepath.startswith(os.path.realpath(BASE_DIR)):
        abort(403, 'Access denied')

    if not os.path.isfile(filepath):
        abort(404)

    return send_file(filepath)

PowerWAF automatically blocks Path Traversal Attack at the edge.

Deploy in minutes. No code changes required. Free plan available.

Start Free See Documentation

Free plan spots are limited

Frequently Asked Questions

Path traversal reads file contents by navigating the directory structure. Local File Inclusion (LFI) is a subset where the application includes and executes a local file (e.g., via PHP's include()). LFI can lead to code execution, while basic path traversal only reads files.

Yes. Windows uses backslashes (\) as path separators, so attacks use ..\..\windows\system32\ patterns. Windows is also vulnerable to alternate data streams (file.txt::$DATA) and short filename attacks (PROGRA~1).

A WAF with comprehensive rule sets blocks the vast majority of path traversal attempts by detecting ../ patterns, URL-encoded variants, and known target file paths. PowerWAF includes over 50 path traversal signatures covering standard, encoded, Unicode, and platform-specific variants.