New to CAPEC? Start Here
Home > CAPEC List > CAPEC-139: Relative Path Traversal (Version 3.5)  

CAPEC-139: Relative Path Traversal

Attack Pattern ID: 139
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.126Path Traversal
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Survey application: Using a browser or an automated tool, an attacker follows all public links on a web site. They record all the links they find. They pick out the URL parameters that may related to access to files.

    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery.
  1. Attempt variations on input parameters: Possibly using an automated tool, an attacker requests variations on the identified inputs. They send parameters that include variations of payloads.

    Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as "../".
    Use a proxy tool to record results of manual input of relative path traversal probes in known URLs.
  1. Access, modify, or execute arbitrary files.: An attacker injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An attacker could be able to read directories or files which they are normally not allowed to read. The attacker could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the attacker accesses arbitrary files, they could also modify files. In particular situations, the attacker could also execute arbitrary code or system commands.

    Manipulate file and its path by injecting relative path sequences (e.g. "../").
    Download files, modify files, or try to execute shell commands (with binary files).
+ Prerequisites
The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands.
+ Skills Required
[Level: Low]
To inject the malicious payload in a web page
[Level: High]
To bypass non trivial filters in the application
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Modify Data
Read Data
Execute Unauthorized Commands
Access Control
Bypass Protection Mechanism
Unreliable Execution
+ Mitigations
Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement
Implementation: Perform input validation for all remote content, including remote and user-generated content.
Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.
Implementation: Prefer working without user input when using file system calls
Implementation: Use indirect references rather than actual file names.
Implementation: Use possible permissions on file access when developing and deploying web applications.
+ Example Instances

The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.

However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.

Then an attacker creates special payloads to bypass this filter: /etc/passwd

When the application gets this input string, it will be the desired vector by the attacker.

+ References
[REF-9] "OWASP Testing Guide". Testing for Path Traversal (OWASP-AZ-001). v4. The Open Web Application Security Project (OWASP). 2010. <>.
[REF-10] "WASC Threat Classification 2.0". WASC-33 - Path Traversal. The Web Application Security Consortium (WASC). 2010. <>.
+ Content History
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
2015-11-09CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases
2015-12-07CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases
2017-01-09CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases, Related_Weaknesses
2017-05-01CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Phases
2019-04-04CAPEC Content TeamThe MITRE Corporation
Updated Consequences
2020-07-30CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow, Mitigations
2020-12-17CAPEC Content TeamThe MITRE Corporation
Updated References
More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 17, 2020