Cybreach Consulting Prendre RDV
Back to articles
Vulnerabilities

Path traversal and directory listing

Path traversal occurs when an application builds a file path including user-controlled data without validating it. The ../ sequences allow moving up the directory tree. An attacker who controls part of the path can access files outside the allowed directory.

Path traversal example

# Endpoint vulnérable : /api/files?name=report.pdf
GET /api/files?name=../../../etc/passwd

# L'application construit :
path = "/var/app/uploads/" + req.query.name
# = "/var/app/uploads/../../../etc/passwd"
# = "/etc/passwd"

# Le serveur retourne le contenu de /etc/passwd

Encodings and bypasses

Naive filters that look for ../ can be bypassed through different encodings. Some variants: ..%2F (URL encoding of /), ..%5C (backslash on Windows), ....// (double traversal if the filter removes one occurrence), %2e%2e%2f (double encoding). Path canonicalisation before validation is mandatory to cover these cases.

Prevention: canonicalisation and prefix validation (Node.js)

const path = require('path');
const fs = require('fs');

const BASE_DIR = '/var/app/uploads';

function safeReadFile(userInput) {
  // Canoniser le chemin (résout ../)
  const fullPath = path.resolve(BASE_DIR, userInput);

  // Vérifier que le chemin résolu est bien dans le répertoire autorisé
  if (!fullPath.startsWith(BASE_DIR + path.sep)) {
    throw new Error('Accès refusé');
  }

  return fs.readFileSync(fullPath);
}

Directory listing

Directory listing exposes the file list of a directory when no index file (index.html, index.php) is present and the web server is configured to automatically generate this list. This reveals the application's structure, backup files, configuration files, and any resource not intended to be accessible.

Disabling directory listing

# Apache (.htaccess ou httpd.conf)
Options -Indexes

# nginx
autoindex off;  # Déjà off par défaut, vérifier qu'il n'a pas été activé

# IIS : dans web.config
<configuration>
  <system.webServer>
    <directoryBrowse enabled="false" />
  </system.webServer>
</configuration>

Summary

  1. Canonicalise paths before validation: use path.resolve() or equivalent, then verify the result starts with the allowed directory
  2. Never use supplied filenames directly: use opaque identifiers mapped server-side
  3. Disable directory listing: Options -Indexes (Apache), autoindex off (nginx)

A question after reading?

Does your application build file paths from user data? Send a message.

Or book a 30-minute scoping call directly

Book a call