What is path traversal?
Path traversal is when someone can manipulate a file path to break out of the folder they’re supposed to be limited to. Instead of just accessing a safe file, they can reach other parts of the server and potentially view or change files they shouldn’t have access to. That means things like app data or behavior can be altered just by tweaking the path.
Walkthrough: Simulating Path Traversal on My Site
Now that we’ve got a basic understanding of what path traversal is, let’s walk through a real-world(ish) example. I intentionally added this vulnerability (a safe and fun version) to my site, l1nuxbutt3rfly (https://l1nuxbutt3rfly.squarespace.com/), it’s both a portfolio and an experimental space where I practice and document real-world cybersecurity scenarios. This walkthrough is part of my ongoing project to simulate realistic vulnerabilities in a safe, controlled environment.
Here’s how I recreated a classic path traversal bug using a custom download button and a bit of creative URL manipulation:
Basically, the download feature doesn't properly clean up what the user types into the URL, so you can trick it into grabbing files it shouldn’t. Instead of just giving you a safe file, it lets you “traverse” up directories and access other stuff—like hidden flags or system files—by using ../ in the path.
How the Path Traversal Works on My Site
The fake “Download” button you see is tied to a URL that includes a query string like this:
/downloads?token=pt-demo
On the surface, it just looks like a normal link to a downloadable file. But behind the scenes, it mimics a common web application mistake: trusting user input in the file path.
Step-by-Step Breakdown
The Setup
I placed a link on the site that mimics a typical file download endpoint. It uses a token parameter that appears to validate access to a specific file—something like a brochure, .zip file, or demo content.
The Simulated Mistake
Instead of restricting access to just one file, the URL accepts manipulated paths. The idea is to simulate an application that takes whatever path the user supplies (in the query) and serves it back without sanitizing or validating it.
The Exploit
By tweaking the token parameter, you can simulate a traversal attack. For example, you might change it to:
/downloads?token=../../../../secret/flag.txt
This tricks the server into “walking up” the file tree and accessing something outside the intended directory. In this case, it simulates grabbing a hidden flag file.
The Flag Reveal
If done right, instead of a clean download, you get access to the simulated "flag" file, which represents unauthorized access to sensitive data—just like in a real path traversal attack.
How to Prevent This
Sanitize Like You Mean It
Never trust user input. If someone gives you a file name or path, clean it like it’s radioactive. Strip out characters like ../, backslashes, or anything that screams “I’m trying to break out of this folder.”
Think of it like giving a guest access to your living room, not the keys to your bedroom, kitchen, and locked drawer full of secrets.
- Use Whitelisting
Only allow access to specific, known-good files or paths. If it’s not in your approved list, don’t even consider serving it.
- Lock Down Your Directories
Set strict permissions on your server. Even if someone does try path traversal, they should hit a dead end—preferably a big bold 403 Forbidden wall.
- Monitor & Alert
Add logging and alerts for weird file path activity. If someone’s tossing around a lot of ../, it’s not because they’re lost.
- Use Built-In Path Libraries
Languages like Python, Node, and others have safe ways to resolve file paths (e.g., path.resolve() in Node.js). Don’t reinvent the wheel—use tools that help block sneaky behavior.
Top comments (0)