Directory traversal attack
(also path traversal attack, dot-dot-slash attack)
Directory traversal attack definition
A directory traversal attack is a type of cyberattack that leverages security flaws within web applications or file systems, enabling unauthorized access to otherwise protected files and directories. Perpetrators of this attack method aim to read, modify, or delete sensitive data, which could lead to unintended information disclosure, data corruption, or even a full-scale system compromise. This type of attack poses a significant risk to the targeted organization or individual’s data security and privacy.
See also: SQL injection, XSS, vulnerability assessment
Directory traversal attack examples
- An attacker manipulates a web application’s file request to access the “/etc/passwd“ file on a Unix system, revealing user account information.
- Exploiting a vulnerable image upload feature in a web application to access and overwrite important configuration files, leading to the application’s malfunction.
Comparing directory traversal attack to other cyberattacks
Compared to other cyberattacks like SQL injection or cross-site scripting (XSS), directory traversal attacks specifically target file system vulnerabilities. While SQL injection and XSS target databases or web application users, directory traversal attacks focus on accessing unauthorized files and directories within the system.
Preventing directory traversal attacks
- Implement proper input validation and sanitization for all user-supplied data.
- Use secure coding practices and follow web application security guidelines.
- Apply the principle of least privilege, restricting user access to only necessary files and directories.
- Regularly update and patch web applications and server software to fix known vulnerabilities.