Open in app

Sign in

Write

Sign in

Portswigger Web Security Academy: Directory Traversal

CyberQueenMeg
3 min readAug 7, 2023

I have been working through the Portswigger Web Security Academy to improve my knowledge of web app vulnerabilities and recently finished the Directory Traversal module. In this article, I will explain what directory traversal is, how to exploit it, and how to work around different preventative measures that web apps may have in place.

What is Directory Traversal:

Directory Traversal is a server-side vulnerability that allows an attacker to navigate to an internal computer directory that is not on the web app, such as /etc/passwd .

How to exploit Directory Traversal:

To exploit a system with a Directory Traversal vulnerability and no protections, you will need to access a file (say, an image) on the website and then change the listed file path to the file you are trying to access

How to bypass Directory Traversal prevention methods:

There are many prevention methods in place to prevent Directory Traversal attacks, but there are also several ways to bypass these protective methods:

One common way to bypass this is by using an absolute path such as filename=/etc/passwd in the URL.

Another way is to use nested travel sequences, such as ….// and ….\/, which allows attackers to go back directories so that they can navigate anywhere on the system.

Another way is to encode the file path, which can bypass some filters set up to prevent directory traversals.

Another way is to include a null byte and an expected file extension. Furthermore, we can use the expected file path and then traverse backwards to get to the intended file destination.

How to prevent Directory Traversal

To prevent Directory Traversal, the best way is to not take user input. If you must take user input, two ways to prevent Directory Traversal are to validate the API and to append the input to the base directory, so that it doesn’t navigate backwards.

Megan Howell (CyberQueenMeg) is a cybersecurity student at Grand Canyon University and an Offensive Security Intern at Cisco Systems. She is a bug bounty hunter, has been featured in Forbes Magazine for her work in AI Bias hunting, open source contributor to programs like BeeF and BlackArch Linux, former DefCon speaker, SkillsUSA Cybersecurity national competitor, National Cyber Scholar, and Cyber Patriot competitor. You can find her social media profiles at linktr.ee/cyberqueenmeg.

DISCLAIMER

The information presented above can be used for both beneficial and malicious purposes. I do not condone or endorse the use of this information for malicious purposes and will fully support the prosecution of those who use the information presented above in a manner that violates the law. You are only authorized to utilize this information on your own systems or on systems you are explicitly authorized to penetration test or perform bug bounties on. If you use this exploit in a malicious manner, you will be charged and prosecuted to the full extent of the laws surrounding unethical hacking and cyber crime.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Burpsuite
Directory Traversal
Hacking
Web Security
Penetration Testing
CyberQueenMeg
CyberQueenMeg

Written by CyberQueenMeg

59 Followers
28 Following

GCU ‘25. DFIR Intern @ Cisco, Cybersecurity/tech nerd, musician (violin, piano, & guitar), Christian, and bug bounty hunter.

No responses yet

Write a response

What are your thoughts?

More from CyberQueenMeg

See all from CyberQueenMeg

Recommended from Medium

Lists

Staff picks

826 stories1649 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2818 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams