{ "slug": "path_traversal", "term": "Path Traversal", "category": "security", "difficulty": "intermediate", "short": "User input used in a file path allows attackers to navigate outside the intended directory using ../ sequences.", "long": "Path traversal (also called directory traversal) lets attackers read or include arbitrary files on the server by supplying sequences like ../../etc/passwd in a parameter used to build a file path. In PHP, include/require with user-supplied filenames is the classic vector. Mitigation requires resolving the real path with realpath() and asserting it starts with the intended base directory — whitelist known-good filenames where possible.", "aliases": [ "directory traversal", "dot-dot-slash", "../ attack", "path traversal attack" ], "tags": [ "injection", "file-system", "cwe-22", "owasp-top10" ], "misconception": "Stripping ../ from user input prevents path traversal. Attackers use encoded variants (..%2F, %2e%2e%2f, ....//), unicode sequences, and URL double-encoding that survive naive string replacement. Use realpath() and compare against the allowed base directory.", "why_it_matters": "A path traversal vulnerability can read any file the web server process has permission to access — including /etc/passwd, .env files, and PHP source containing database credentials.", "common_mistakes": [ "Passing user-supplied filenames to file_get_contents(), readfile(), or fopen() without normalisation.", "Filtering traversal sequences with str_replace('../', '') — bypassed with ....// which collapses to ../.", "Not verifying that the realpath() of the requested file is within the intended directory.", "Allowing the full filesystem path to be specified via a 'file' or 'path' query parameter." ], "when_to_use": [], "avoid_when": [], "related": [ "lfi", "realpath", "basename" ], "prerequisites": [ "realpath", "basename", "input_validation" ], "refs": [ "https://owasp.org/www-community/attacks/Path_Traversal", "https://cwe.mitre.org/data/definitions/22.html" ], "bad_code": "$file = $_GET['file'];\nreadfile('/var/www/uploads/' . $file);", "good_code": "$base = realpath('/var/www/uploads');\n$requested = realpath($base . '/' . $_GET['file']);\n\nif ($requested === false || !str_starts_with($requested, $base . DIRECTORY_SEPARATOR)) {\n http_response_code(403); exit;\n}\nreadfile($requested);", "quick_fix": "Pass user input through realpath() then verify the result starts with your allowed base directory using str_starts_with()", "severity": "critical", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/path_traversal", "html_url": "https://codeclaritylab.com/glossary/path_traversal", "json_url": "https://codeclaritylab.com/glossary/path_traversal.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Path Traversal](https://codeclaritylab.com/glossary/path_traversal) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/path_traversal" } } } }