Preventing Directory Traversal

Directory traversal vulnerabilities allow attackers to access arbitrary files on your system. They tend to occur in older technology stacks, which map URLs too literally to directories on disk.

Risks

Prevalence
Common
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability
Moderate
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact
Devastating
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

If an attacker discovers a directory traversal vulnerability, it is only a matter of time before they compromise your system. An experienced attacker will have seen a similar technology stack, and will have a playbook of things to try next.

If your site is indexed on Google, and you have URLs that pass file names in the query string, you are likely advertising a potential vulnerability to attackers. Hackers often use search engines to locate likely targets, and will search for tell-tale URLs. Try searching Google for site:<yourdomain.com> inurl:file= to see if any results get returned!