Path traversal attacks

Path traversal attacks force access to files, directories, and commands that are located outside the web document root directory or CGI root directory.

About this attack

An attacker can exploit a URL in a way that the website executes or discloses contents of files on the web server. Even though most websites restrict user access to the web document root or CGI root directory, an attacker can gain access to these directories by using special character sequences.

The ../ sequence is a common sequence that is used by an attacker to access files or to execute commands on the file system. Even though most web servers prevent this technique from escaping the web document root, you should check for the following alternate encodings of this sequence that might be used to bypass security filters:
  • Valid and non-valid Unicode-encoding ..%u2216 or ..%c0%af of the forward slash character
  • Back slash characters ..\ on Windows based servers
  • URL encoded characters such as %2e%2e%2f
  • Double URL encoding ..%255c of the back slash character

Signatures triggered by this attack

The signatures that are triggered by path traversal attacks include:
Table 1. Path traversal signatures
Signature name Description More information
HTTP_Apache_SlashSlash Detects an HTTP GET followed by a double slash. IBM® X-Force®: Apache GET request directory traversal


HTTP_DotDot Detects web requests that contain one or more /../ sequences that attempt to navigate above the top of the web directory hierarchy.

This attempt often bypasses the normal security that is imposed by the web server to access files that are normally restricted.

IBM X-Force: HTTP "dot dot" sequences


HTTP_DotDotDot Detects web requests that contain a /... sequence. IBM X-Force: HTTP request contains "dot dot dot" in the URL
HTTP_GET_DotDot_Data Detects HTTP GET requests that contain ../../../.. in the data. IBM X-Force: HTTP "dot dot" sequences

IBM X-Force: CVE-1999-0229

HTTP_GET_Dotdotdot_Data Detects HTTP GET requests that contain /... in the data. IBM X-Force: HTTP GET request contains "dot dot dot"
HTTP_Perl_Example_Code Detects web requests that contain one or more ../.. sequences that attempt to navigate above the top of the web directory hierarchy and execute an ActiveState Perl program. IBM X-Force: Microsoft Internet Information Server (IIS) ActivePerl command execution
HTTP_PhpRocket_Traversal Detects an HTTP URL which has a query string that contain a page= parameter and whose argument contains a directory traversal (../..). IBM X-Force: PHP Rocket Add-in for FrontPage "dot dot" directory traversal


HTTP_POST_dotdot_data Detects a POST command with argument data that contains (../../). IBM X-Force: HTTP POST data contains dot dot path


HTTP_POST_dotdotdot_data Detects HTTP POSTS that contain (/...). IBM X-Force: HTTP POST dot dot dot directory traversal
HTTP_POST_JBoss_Traversal Detects a POST to the JBoss DeploymentFileRepository service object that is attempting to traverse the directory structure. IBM X-Force: JBoss Application Server DeploymentFileRepository directory traversal


HTTP_Sunone_Viewlog Checks for a specially crafted URL designed to traverse directories and view files. IBM X-Force: Sun ONE Directory Server ViewLog function directory traversal


HTTP_URL_BackslashDotDot Searches for backslash-dot-dot-backslash encoded as hexadecimal in the raw URL (%5c%2e%2e%5c). IBM X-Force: Apache HTTP Server non-Unix version URL encoded directory traversal


HTTP_URL_dotpath Detects web requests that contain a /./ sequence. This attack might indicate an attacker's attempt to evade an intrusion detection system. IBM X-Force: HTTP URL contains /./ (slash dot slash)
HTTP_URL_Repeated_Dot Detects URLs with repeated . (period or dot) characters. IBM X-Force: Microsoft IIS malformed URL extension data denial of service