Directory traversal (also called "path traversal") is a cyberattack method exploiting vulnerabilities within web servers and web applications.
Generally, web server administrators specify a root directory accessible to users, restricting files users can access to specific subdirectories. However, if user-supplied input specifying file names or paths is not properly sanitized, an attacker may exploit specially crafted sequences such as "../" to navigate ("traverse") upward to parent directories. Such vulnerabilities allow malicious users to break out of an intended directory and gain unauthorized access to sensitive or hidden files and directories, potentially leading to information disclosure or system compromise.
To prevent directory traversal attacks, web administrators should implement security measures such as restricting the directories accessible by application scripts (for example, configuring 'open_basedir' settings in the PHP "php.ini" file to limit file inclusion paths). When using web servers like Apache, removing or disabling the "Indexes" option in the "httpd.conf" file is critical to preventing directory listing. Directory listing allows attackers to see the contents of directories, thus exposing naming patterns and facilitating further exploitation attempts.
In addition, directory traversal attacks can be effectively mitigated by employing Web Application Firewalls (WAFs). F5 provides robust WAF functionality in F5 BIG-IP Application Security Manager (ASM), which helps protect against path traversal and similar web vulnerabilities.