Directory traversal is an HTTP exploit which allows attackers to access restricted directories and/or execute commands outside of the web server's root directory.
Capabilities and Risk
Access restricted files such as application source code with the permissions of the web server
Detection
Identify user input that the application uses in order to retrieve files and attempt to access higher directories
by inputting a ../ ex. ../../../../etc/passwd.
You will often encounter input filters that discourage simple ../ so try different
encodings and patterns such as url encoded or unicode encoded characters.
Remediation
Properly sanitize user input that is used to access files on the server
Summary
Directory traversal is an HTTP exploit which allows attackers to access restricted directories and/or execute commands outside of the web server's root directory.
Capabilities and Risk
Detection
Remediation
References
Exploitation
Input example source code here