[{"data":1,"prerenderedAt":172},["ShallowReactive",2],{"blog-vulnerabilities/path-traversal":3},{"id":4,"title":5,"body":6,"category":151,"date":152,"dateModified":153,"description":154,"draft":155,"extension":156,"faq":157,"featured":155,"headerVariant":158,"image":157,"keywords":157,"meta":159,"navigation":160,"ogDescription":161,"ogTitle":157,"path":162,"readTime":163,"schemaOrg":164,"schemaType":165,"seo":166,"sitemap":167,"stem":168,"tags":169,"twitterCard":170,"__hash__":171},"blog/blog/vulnerabilities/path-traversal.md","Path Traversal Explained",{"type":7,"value":8,"toc":142},"minimark",[9,16,21,36,46,51,54,82,86,95,111,130],[10,11,12],"tldr",{},[13,14,15],"p",{},"Path traversal (or directory traversal) happens when user input is used to construct file paths without proper validation. Attackers use ../ sequences to escape the intended directory and read sensitive files like /etc/passwd or your .env file. Always resolve paths and verify they stay within the allowed directory.",[17,18,20],"h2",{"id":19},"how-path-traversal-works","How Path Traversal Works",[22,23,25],"code-block",{"label":24},"Vulnerable file serving",[26,27,32],"pre",{"className":28,"code":30,"language":31},[29],"language-text","// User requests: /api/files?name=../../../etc/passwd\n\napp.get('/api/files', (req, res) => {\n  const filename = req.query.name;\n  const filepath = path.join('/uploads', filename);  // VULNERABLE!\n\n  // This reads /etc/passwd, not a file in /uploads\n  res.sendFile(filepath);\n});\n","text",[33,34,30],"code",{"__ignoreMap":35},"",[37,38,39],"danger-box",{},[13,40,41,45],{},[42,43,44],"strong",{},"Common targets:"," /etc/passwd, .env, config files, source code, private keys. On Windows: C:\\Windows\\System32\\config\\SAM, web.config",[47,48,50],"h3",{"id":49},"bypass-attempts","Bypass Attempts",[13,52,53],{},"Simple blacklisting of \"../\" is not enough. Attackers use encodings:",[55,56,57,64,70,76],"ul",{},[58,59,60,63],"li",{},[33,61,62],{},"..%2f"," (URL encoded)",[58,65,66,69],{},[33,67,68],{},"..%252f"," (double encoded)",[58,71,72,75],{},[33,73,74],{},"....//"," (after stripping ../)",[58,77,78,81],{},[33,79,80],{},"..\\"," (Windows paths)",[17,83,85],{"id":84},"how-to-prevent-path-traversal","How to Prevent Path Traversal",[22,87,89],{"label":88},"Safe file path handling",[26,90,93],{"className":91,"code":92,"language":31},[29],"import path from 'path';\n\nconst UPLOAD_DIR = '/var/app/uploads';\n\napp.get('/api/files', (req, res) => {\n  const filename = req.query.name;\n\n  // Resolve to absolute path\n  const requestedPath = path.resolve(UPLOAD_DIR, filename);\n\n  // Verify it's still within the allowed directory\n  if (!requestedPath.startsWith(UPLOAD_DIR + path.sep)) {\n    return res.status(403).json({ error: 'Access denied' });\n  }\n\n  // Now safe to use\n  res.sendFile(requestedPath);\n});\n",[33,94,92],{"__ignoreMap":35},[96,97,98,105],"faq-section",{},[99,100,102],"faq-item",{"question":101},"Is path.join() safe?",[13,103,104],{},"No. path.join() just combines paths, it doesn't prevent traversal. You must use path.resolve() and then verify the result is within your allowed directory.",[99,106,108],{"question":107},"What about symbolic links?",[13,109,110],{},"Symlinks can also be used for traversal. Use fs.realpath() to resolve symlinks before checking the path, or disable symlinks in your upload directory.",[112,113,114,120,125],"related-articles",{},[115,116],"related-card",{"description":117,"href":118,"title":119},"Related input issue","/blog/vulnerabilities/command-injection","Command Injection",[115,121],{"description":122,"href":123,"title":124},"Server hardening","/blog/vulnerabilities/insecure-file-permissions","File Permissions",[115,126],{"description":127,"href":128,"title":129},"General validation guide","/blog/how-to/validate-user-input","Input Validation",[131,132,135,139],"cta-box",{"href":133,"label":134},"/","Start Free Scan",[17,136,138],{"id":137},"scan-for-path-traversal","Scan for Path Traversal",[13,140,141],{},"Our scanner tests file endpoints for path traversal vulnerabilities.",{"title":35,"searchDepth":143,"depth":143,"links":144},2,[145,149,150],{"id":19,"depth":143,"text":20,"children":146},[147],{"id":49,"depth":148,"text":50},3,{"id":84,"depth":143,"text":85},{"id":137,"depth":143,"text":138},"vulnerabilities","2026-01-20","2026-02-16","Path traversal lets attackers read files outside your intended directory using ../ sequences. Learn how to safely handle file paths in your application.",false,"md",null,"red",{"noindex":160},true,"Learn how path traversal attacks work and how to prevent them.","/blog/vulnerabilities/path-traversal","5 min read","[object Object]","TechArticle",{"title":5,"description":154},{"loc":162},"blog/vulnerabilities/path-traversal",[],"summary_large_image","W7GE7rBfR4ZAPPncA5A2QgogIDikjFI2p3Cqxi9fxXU",1775843926521]