Path Traversal Hunting Guide: How to Find Directory Traversal Bugs That Pay
Key Takeaways
- Path traversal remains one of the most common web vulnerabilities — and one of the most underreported in bug bounty programs
- The classic
../payload is just the starting point; real-world bugs require encoding bypasses, null bytes, and platform-specific tricks - File download endpoints, image handlers, template engines, and API file parameters are the highest-yield attack surfaces
- Escalation from file read to account takeover or RCE is what turns a medium-severity finding into a critical payout
What Is Path Traversal?
Path traversal (directory traversal, dot-dot-slash) lets you read — or sometimes write — files outside the directory the application intended. When an application takes a filename as input and doesn't properly validate it, you can use ../ sequences to navigate up the directory tree and access sensitive files.
The canonical example:
GET /download?file=../../../../etc/passwd HTTP/1.1If the server returns the contents of /etc/passwd, you have a path traversal vulnerability.
Where to Look
Path traversal hides in any parameter that references a file. These are the highest-yield locations:
1. File Download Endpoints
Any URL that serves files based on a parameter: /download?file=, /export?name=, /attachment?path=. These are the most obvious and still the most commonly vulnerable.
2. Image and Media Handlers
Image resizing proxies, avatar uploads, and media serving endpoints often take a path parameter. Look for /images?src=, /thumb?img=, /media/ routes.
3. Template and Theme Selection
Parameters like ?template=, ?theme=, ?lang= that load files from disk. These often have weaker validation because developers don't think of them as "file" parameters.
4. API Endpoints With File References
REST APIs that accept filenames in request bodies or path segments: POST /api/import {"file": "report.csv"}. JSON and XML bodies are often less filtered than query parameters.
5. Log Viewers and Admin Panels
Admin interfaces that display log files, configuration files, or backup files. These are gold — they're designed to read files, and the traversal filter is often the only thing between you and /etc/shadow.
Detection Techniques
Basic Traversal
Start with the fundamentals. Try these payloads against every file-referencing parameter:
../../../etc/passwd
..\..\..\..\windows\win.ini
....//....//....//etc/passwdEncoding Bypasses
When basic traversal is filtered, encoding often gets through:
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd (URL encoding)
..%252f..%252f..%252fetc%252fpasswd (double URL encoding)
%c0%ae%c0%ae%c0%af (overlong UTF-8)
..%c0%af..%c0%af..%c0%afetc/passwd (UTF-8 overlong slash)Null Byte Injection
On older systems and some languages (PHP < 5.3.4, older Java), null bytes truncate the path:
../../../../etc/passwd%00.png
../../../../etc/passwd\0.jpgPlatform-Specific Tricks
Windows:
..\..\..\..\windows\system32\drivers\etc\hosts
....\\....\\....\\windows\\win.ini
/..../..../..../windows/win.iniJava/Tomcat:
/WEB-INF/web.xml
/META-INF/MANIFEST.MFNode.js:
..%5c..%5c..%5cetc%5cpasswd (backslash on Windows Node)Wrapper and Protocol Tricks
Some applications use file wrappers that accept protocols:
file:///etc/passwd
php://filter/convert.base64-encode/resource=../config.phpConfirming the Bug
Reading /etc/passwd proves the traversal works, but you need to demonstrate impact for a good bounty report. Target these files:
/etc/passwd— proof of concept (Linux)/etc/shadow— password hashes (requires root, critical if readable)/proc/self/environ— environment variables, often contains secrets/proc/self/cmdline— reveals running process and arguments~/.ssh/id_rsa— SSH private keys.env,config.php,application.yml— application secrets/windows/win.ini— proof of concept (Windows)web.config— IIS configuration with connection strings
Escalation Paths
File Read → Account Takeover
Read application config files to extract database credentials, API keys, or JWT signing secrets. Use JWT secrets to forge admin tokens. Use database credentials to access user data directly.
File Read → RCE
Read SSH keys and use them to SSH into the server. Read /proc/self/environ for cloud metadata credentials. On AWS, read /proc/self/environ for IAM role credentials or chain with SSRF to hit the metadata endpoint.
File Write → RCE
If the traversal allows writing (upload endpoints, log injection), write a web shell to a publicly accessible directory. On PHP: write to /var/www/html/shell.php. On Java: write to the webapps directory.
Bypassing Common Defenses
Stripping ../
If the app strips ../ once, double it: ....// becomes ../ after stripping.
Absolute Path Requirement
If the app requires the path to start with a specific directory, try: /var/www/uploads/../../../etc/passwd
Extension Whitelisting
If the app requires .pdf or .png extension, try null bytes (%00) or path parameters (../../../etc/passwd/.png on some servers).
WAF Bypass
Combine encoding techniques. Use ..;/ on Tomcat (path parameter bypass). Try Unicode normalization: %ef%bc%8f (fullwidth solidus).
Tools
- Burp Suite Intruder — fuzz file parameters with traversal wordlists
- ffuf — fast fuzzing with
-w traversal-payloads.txt - dotdotpwn — dedicated directory traversal fuzzer
- Nuclei — templates for common traversal patterns (
nuclei -t http/vulnerabilities/path-traversal/)
Writing the Report
A path traversal report that pays well includes:
- Clear reproduction steps — exact HTTP request with the traversal payload
- Proof of file read — screenshot or response body showing file contents
- Impact demonstration — show what sensitive data is accessible (redact actual secrets)
- Escalation path — explain how file read leads to account takeover or RCE
- Remediation — recommend allowlisting filenames, using a file ID instead of a path, or chrooting the file access
FAQ
What is path traversal?
Path traversal (also called directory traversal) is a vulnerability that allows attackers to read files outside the intended directory by manipulating file path parameters with sequences like ../ to navigate the filesystem.
What is the difference between path traversal and LFI?
Path traversal reads arbitrary files by escaping the intended directory. Local File Inclusion (LFI) includes files into the application's execution context, which can lead to code execution. Path traversal is a file read; LFI is a file include that may execute code.
Can path traversal lead to RCE?
Yes. Path traversal can escalate to RCE by reading sensitive files like SSH keys, database credentials, or application secrets, then using those to gain shell access. Combined with file write capabilities, it can directly achieve code execution.