Relative Path Traversal
Attack Pattern ID: 139 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot-dot-slash characters for the purpose of obtaining access to restricted files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

+ Attack Prerequisites

The attacker must be able to access at least one legitimate path on the target. It is this path the attacker uses as the base for their modifications.

The attacker must be able to control the path that is requested of the target.

The target must fail to adequately sanitize incoming paths

+ Resources Required

No special resources are required.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Targeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory126Path Traversal 
Mechanism of Attack (primary)1000
Back to top