Loading ...
Try HTTPCS +33 1 85 09 15 09

Traversal Directory (TRV) vulnerability

What is a TRV vulnerability and how to prevent it?

The traversal directory attacks consist in changing the path of the tree in the URL in order to access unauthorized directories of the site.

14 days Free trial

No Commitment

OWASP ranking

What is a Traversal Directory vulnerability ?

The traversal directory flaw allows hackers to recursively browse all files and directories on a server. Any web server with badly controlled user entries is vulnerable to this attack type.

If the attempt succeeds, the attacker can view and modify confidential files, configuration files, and use them to execute malicious codes he created. A hacker may be able to read the contents of confidential files stored on a server and circulate these sensitive data, or sell them to other malicious people.

Security flaws

Example :

On vulnerable servers, one just has to go up the path with several strings such as "../" : http://domaine.com/../../../../directory/file

It is also possible to encode some characters :

Via URL encoding :
%2F is the encode value of « / »

Either with a Unicode encoding we get :
%u2216 is the encode value of « / »

Secure your sites

How to protect yourself against Traversal Directory vulnerabilities ?

To protect yourself against this type of vulnerability it is essential to configure your web server properly in order to prevent a user from navigating on pages he is not supposed to access.
A few advices:

  • Prevent pages below the root of the website (chroot mechanism)

  • Stop displaying files in a directory that does not contain any index file ("Directory Browsing")

  • Delete useless directories and files (including hidden files)

  • Make sure that the server protects access to directories containing sensitive data

Web Vulnerability Scanner of HTTPCS

How to detect TOP 10 OWASP vulnerabilities?

Detect security flaws on your website or web application thanks to the Web Vulnerability Scanner of HTTPCS. This online security tool allows you to detect any flaws you have (top 10 OWASP, CVE and other vulnerabilities implemented in the robot) to ensure the best protection of your site on a daily basis. Easily schedule automated audits, discover your vulnerabilities and find out what patches to apply to avoid being hacked.

Test for free the TRV Scanner

14 days Free trial

No Commitment