⌘K
ENES
GitHub
playbookSecurity Playbooks~1 min readUpdated Apr 23, 2026

Test Path Traversal

Goal

Determine whether user input can escape the intended filesystem path boundary and access unexpected files or directories.

Assumptions

  • the app reads or writes files based on user-controlled identifiers
  • path normalization may be incomplete
  • platform-specific separators or encodings may matter

Prerequisites

  • file-related endpoints or upload/extraction features
  • ability to replay requests and compare responses

Recon steps

  1. Identify download, preview, import, extraction, and template-related features.
  2. Map where path-like input appears in routes, params, or JSON.
  3. Note OS/platform behavior where relevant.

Exploit / test steps

  1. Try simple traversal sequences.
  2. Test encoded or alternate separator variants where appropriate.
  3. Compare behavior for read and write operations.
  4. Probe archive extraction or upload workflows for directory escape.
  5. Observe whether normalization happens before or after validation.

Validation clues

  • access to unexpected files
  • different errors when escaping intended directories
  • writes or extractions landing outside controlled paths

Mitigation

  • avoid raw user-controlled filesystem paths
  • use indirect references or strict allowlists
  • canonicalize safely and verify final paths
  • isolate processing and storage accounts/dirs

Logging / detection

  • repeated traversal-like strings
  • failed file access outside expected trees
  • extraction or write attempts outside upload areas

References

  • Testing / Lab: PortSwigger path traversal topic — https://portswigger.net/web-security/file-path-traversal
  • Foundational: OWASP WSTG — https://owasp.org/www-project-web-security-testing-guide/latest/

Explore nearby notes

Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect BloodHound Collection_Playbook structure (Goal / Assumptions / Prerequisites / Detection steps / Validation clues / Mitigation / Logging / Operational safety), matching the trio... Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions.