ShieldReport
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign InRun Free Scan
Run Scan
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign In
← Back to Wiki

Directory Traversal (Path Traversal)

high
CWE-22Injection

What is Path Traversal?

Directory traversal attacks exploit insufficient input validation to access files and directories outside the intended directory, using sequences like ../ to navigate the file system.

How it works

An attacker manipulates file path parameters (e.g., /download?file=../../../etc/passwd) to escape the application's web root and access sensitive system files.

Impact

Reading sensitive files (configuration files, credentials, source code), and in some cases writing arbitrary files leading to remote code execution.

How ShieldReport detects this

ShieldReport tests file-handling endpoints with traversal sequences including URL-encoded, double-encoded, and null-byte injection variants.

How to fix it

Use a whitelist of allowed files. Resolve the canonical path and verify it's within the expected directory. Never use user input directly in file system operations.

Tags

injectionfile-systempath-traversal

Is your site vulnerable to Path Traversal?

Run a free scan to find out in under 2 minutes.

Scan Now
ShieldReport

Website security scanning and reporting for developers, teams, and agencies.

ShieldReport - Security reports done in minutes which developers understand | Product Hunt

Product

  • Free Security Scan
  • What We Check
  • Pricing
  • Sample Report

Resources

  • Security Blog
  • FAQ
  • Website Security Checklist
  • CSP Guide

Topics

  • Security Headers
  • TLS Configuration
  • OWASP Top 10
  • Vulnerability Scanning

© 2026 ShieldReport. All rights reserved.

Run Free ScanPricingBlogSitemapRSS Feed