Path Traversal in 2024 - The year unpacked

Path traversal, also known as directory traversal, occurs when a malicious user manipulates user-supplied data to gain unauthorized access to files and directories. Typically the attacker will be trying to access logs and credentials that are in different directories. Path traversal is not a new vulnerability and has been actively exploited since the 90s when web servers gained popularity, many relied on Common Gateway Interface (CGI) scripts to execute dynamic server-side content.

With such a long history, is path traversal still popular today? We conducted a study of both open-source and closed-source projects to gather data to see how common path traversal was in 2024 and if we are improving, Spoilers we aren’t.

Path traversal example

So how exactly does path traversal work? Let's look at a simple example.

In this simple application, a user is given a file to download via a variable in the URL.

There is some simple backend Python code handling the request.

import os  

def download_file(file):    
   base_directory = "/var/www/files"
   file_path = os.path.join(base_directory, file)          

   if os.path.exists(file_path):        
       with open(file_path, 'rb') as f:            
            return f.read()    
   else:        
      return "File not found"

Now as the variable is supplied in the URL we can change it to something like this file=../../../../etc/passwd

Here the attacker is using the ../../ to traverse up the directory structure to the system root level and access the passed file potentially gaining access to sensitive information.

If you want to see how this method could be secured scroll down to bonus content.

In more complex scenarios involving multiple layers of directories or encoded characters (e.g., %2e%2e%2f), attackers can bypass basic filters and gain deeper access into the file system.

Path traversal by the numbers

• 2.7% of all vulnerabilities found in open-source projects in 2024 so far were path traversal
• 3.5% for closed-source projects!
• An increase in the total number of path traversal vulnerabilities in open-source projects from 742 (2023) to an expected 1,000 (2024).
• As a percentage of all vulnerabilities, path traversal is getting more common with a massive increase in closed-source projects of 85%

Our research focused on researching both open-source and closed-source projects to reveal how many had path traversal vulnerabilities hiding within.

Overall the number of path traversal vulnerabilities is lower than some others we have researched such as Command Injections, or SQL Injections. But considering that this vulnerability can be very dangerous and has well-documented solutions to prevent it, it is alarming to see the numbers as high as they are. It is even more alarming to see the trends for this vulnerability going in the wrong direction. f

Open Source Projects

In open-source projects, path traversal accounted for 2.6% of all reported vulnerabilities in 2023. This figure saw a slight increase in 2024, rising to 2.75%. While this increment may seem marginal at first glance, it underscores ongoing challenges in securing open-source software against even simple vulnerabilities.

Closed Source Projects

The most notable trend was observed in closed-source projects where path traversal incidents surged from 1.9% in 2023 to 3.5% in 2024—a substantial increase of 85% highlighting an alarming trend of this kind of vulnerability.

The bad news unfortunately doesn’t stop there. We are still seeing an increase in the overall number of vulnerabilities reported in open-source projects. The total number of injection vulnerabilities reported in open-source projects went from 742 in 2023 to 917 so far in 2024 (expected to reach 1,000)

Preventing Path Traversal

Preventing command injection vulnerabilities requires a multi-faceted approach:

Input Validation

• Sanitize user inputs: Strip out or encode dangerous characters such as ../, ..\, ..%2f, or other variations.
• Allowlist approach: Define a strict set of permissible inputs (e.g., file names or paths) and reject anything outside this list.

Restrict File Access

• Use a chroot jail or sandbox: Limit the application’s file access to a restricted directory, ensuring it cannot traverse beyond the intended directory tree.
• Set root directories: Define base directories and ensure all paths are relative to them. Use APIs or frameworks that enforce this, such as:java.nio.file.Paths.get("baseDir").resolve(userInput).normalize() in Java.
  os.path.realpath() and os.path.commonpath() in Python.

Secure File Access APIs

• Use secure file access methods provided by modern libraries or frameworks:In Java, use Files.newInputStream() or Files.newBufferedReader() for safe file handling.
  In Python, ensure you validate file paths before accessing them.

Use Environment Restrictions

• Set restrictive file system permissions:Ensure the application has only the minimum required privileges.
  Deny access to sensitive directories (e.g., /etc, /var, /usr, and user home directories).
• Disable unnecessary features in web servers or frameworks (e.g., symbolic link following).

Automated Testing

• Use tools like Aikido to scan your source code and application to discover these vulnerabilities.
• Both SAST and DAST tools should be used together along with domain scanning and cloud security to ensure you have no hidden path traversal vulnerabilities.

Use an in-app firewall

• One of the best defenses against injection attacks is an in-app firewall that is able to catch and block malicious commands.

The road forward

Path traversal is a vulnerability that has been present since the beginning of web apps and while it is often quite simple, it can also be a very devastating exploit. This makes it so concerning that such a large percentage of projects are still struggling with such issues. While 3.5% does not seem like a high number, it is quite remarkable that the number is growing in popularity despite its clear continued and well-documented threat.

Path traversal isn’t a vulnerability that is going away but the good news is that there are clear ways we can find these vulnerabilities in our application and remediate any issues we find.

Bonus Content

Real-World Incidents

There have been several high-profile breaches or vulnerabilities in recent years that involved path traversal as either the primary point of entry or as part of a chain of vulnerability

Microsoft IIS Unicode Exploit (2001)

One of the earliest high-profile path traversal exploits targeting Microsoft IIS servers. Attackers used encoded paths to bypass validation mechanisms (e.g., using %c0%af to represent /). This allowed them to access and execute files outside the web root directory.

This enabled the deployment of malware and defacement of numerous websites.

Fortinet VPN Path Traversal (2019)

Fortinet's SSL VPN was found to have a directory traversal vulnerability (CVE-2018-13379). Attackers exploited this flaw to access sensitive system files, such as plaintext passwords for VPN users.

Thousands of VPN credentials were leaked online, exposing organizations to unauthorized access and further attacks.

Capital One Breach (2019)

What happened: While the primary cause was an SSRF vulnerability, the attacker also leveraged directory traversal in accessing AWS S3 bucket metadata. The attacker exploited misconfigurations to retrieve configuration files that should have been inaccessible.

This exposed personal data of 106 million credit card applicants.

Path Traversal in Kubernetes Dashboard (2020)

The Kubernetes Dashboard had a directory traversal flaw (CVE-2020-8563). Attackers exploited this to read sensitive files in the container, including secrets stored in /etc.