What is Path Traversal?

Definition

Path traversal — also called directory traversal or the ../ attack — is a vulnerability that allows an attacker to read (and sometimes write) files outside the directory the application intends to access. By manipulating file path inputs with sequences like ../ (move up one directory level), an attacker can access configuration files, source code, secrets, or system files.

Path traversal falls under the CWE-22 weakness and is consistently present in web application security assessments. It is particularly dangerous in applications that serve user-specified files, generate reports from templates, or process uploaded file paths.

How Path Traversal Works

An application serves files from /var/www/files/ using this code:

file_path = "/var/www/files/" + user_input

read(file_path)

An attacker requests: ../../../etc/passwd

The resulting path resolves to /etc/passwd. The application reads and returns the system password file.

URL-encoded variants bypass naive filtering: %2e%2e%2f decodes to ../, allowing traversal even when literal ../ is blocked.

What Attackers Can Access

• /etc/passwd, /etc/shadow — user account information on Linux systems
• Application configuration files — database credentials, API keys, secrets
• Application source code — business logic, credentials embedded in code
• .env files, config.yaml, settings.py — environment configuration
• Private keys, certificates — /etc/ssl, ~/.ssh/id_rsa
• Log files — access logs, error logs, application logs

Write-Based Path Traversal

If the vulnerable path is used for writing rather than reading — file uploads, log writing, template caching — an attacker can write arbitrary files to arbitrary locations. Writing to web-accessible directories enables web shell deployment, granting command execution. Writing to server configuration directories can modify application behavior.

Prevention

Canonicalize and validate

Resolve the full canonical path of any user-influenced file path and verify that it begins with the expected base directory. In most languages: Java — Path.normalize() + startsWith(), Python — os.path.realpath() + startswith(), Node.js — path.resolve() + startsWith(). Do this after constructing the path, not before.

Use IDs, not paths

Instead of accepting user-supplied file paths or names, use an opaque identifier (UUID, database ID) to look up the actual file path server-side. The user never controls the path — they control an identifier that maps to a path.

Sandbox file access

Run file-serving components with OS-level restrictions (chroot, container isolation, AppArmor) that prevent access to files outside the intended directory, regardless of what the application code does.

Path Traversal and Autonomous Code Governance

Hydra detects path traversal by tracing user-supplied input to file system operations — open(), readFile(), sendFile(), file_get_contents(), and equivalent functions. When user-controlled data reaches a file operation without path canonicalization and base directory validation, Hydra generates a fix that adds the appropriate validation for the language and framework. The fix uses the canonical path approach (resolve, then verify prefix) rather than blocklist filtering of ../ sequences, which is bypassable through encoding.