Path traversal attacks

This type of attack forces access to files, directories, and commands that are located outside the web document root directory or CGI root directory.

About this attack

An attacker can exploit a URL in a way that the web site executes or discloses contents of files on the web server. Even though most web sites restrict user access to the web document root or CGI root directory, an attacker can gain access to these directories by using special character sequences.

The ../ sequence is a common sequence used by an attacker to access files or to execute commands on the file system. Even though most web servers will prevent this technique from escaping the web document root, you will want to check for the following alternate encodings of this sequence that might be used to bypass security filters:

Valid and non-valid Unicode-encoding ..%u2216 or ..%c0%af of the forward slash character
Back slash characters ..\ on Windows-based servers
URL encoded characters such as %2e%2e%2f
Double URL encoding ..%255c of the back slash character

Signatures triggered by this attack

The signatures triggered by path traversal attacks include:

Table 1. Path traversal signatures
Signature name	Description	More information
HTTP_Apache_SlashSlash	Detects an HTTP GET followed by a double slash.	IBM® X-Force®: Apache GET request directory traversal CVE-2003-1138
HTTP_DotDot	Detects web requests containing one or more `/../` sequences that attempt to navigate above the top of the web directory hierarchy. This is often an attempt to bypass the normal security imposed by the web server and access normally restricted files.	IBM X-Force: HTTP "dot dot" sequences CVE-1999-0229 CVE-2005-3897
HTTP_DotDotDot	Detects web requests containing a `/...` sequence.	IBM X-Force: HTTP request contains "dot dot dot" in the URL
HTTP_GET_DotDot_Data	Detects HTTP GET requests that contain `../../../..` in the data.	IBM X-Force: HTTP "dot dot" sequences IBM X-Force: CVE-1999-0229
HTTP_GET_Dotdotdot_Data	Detects HTTP GET requests that contain `/...` in the data.	IBM X-Force: HTTP GET request contains "dot dot dot"
HTTP_Perl_Example_Code	Detects web requests containing one or more `../..` sequences that attempt to navigate above the top of the web directory hierarchy and execute an ActiveState Perl program.	IBM X-Force: Microsoft Internet Information Server (IIS) ActivePerl command execution
HTTP_PhpRocket_Traversal	Detects an HTTP URL which has a query string containing a `page=` parameter and whose argument contains a directory traversal (`../..`).	IBM X-Force: PHP Rocket Add-in for FrontPage "dot dot" directory traversal CVE-2001-1204
HTTP_POST_dotdot_data	Detects a POST command with argument data that contains (`../../`).	IBM X-Force: HTTP POST data contains dot dot path CVE-1999-0883
HTTP_POST_dotdotdot_data	Detects HTTP POSTS that contain (`/...`).	IBM X-Force: HTTP POST dot dot dot directory traversal
HTTP_POST_JBoss_Traversal	Detects a POST to the JBoss DeploymentFileRepository service object that is attempting to traverse the directory structure.	IBM X-Force: JBoss Application Server DeploymentFileRepository directory traversal CVE-2006-5750
HTTP_Sunone_Viewlog	Checks for a specially-crafted URL designed to traverse directories and view files.	IBM X-Force: Sun ONE Directory Server ViewLog function directory traversal CVE-2003-0676
HTTP_URL_BackslashDotDot	Searches for backslash-dot-dot-backslash encoded as hexadecimal in the raw URL (`%5c%2e%2e%5c`).	IBM X-Force: Apache HTTP Server non-Unix version URL encoded directory traversal CVE-2002-0661
HTTP_URL_dotpath	Detects web requests that contain a `/./` sequence. This might indicate an attacker's attempt to evade an intrusion detection system.	IBM X-Force: HTTP URL contains /./ (slash dot slash)
HTTP_URL_Repeated_Dot	Detects URLs with repeated `.` (period or dot) characters.	IBM X-Force: Microsoft IIS malformed URL extension data denial of service CVE-2000-0408