CWE-22: Path Traversal

Overview

This guidance helps interpret DAST findings for CWE-22: Path Traversal. During dynamic scanning, the scanner detected that file access requests could be manipulated to traverse directory structures and access files outside the intended scope.

What the DAST scanner detected:

• Path traversal payloads (../, ..%2f, ....//, .%2e/, ..%5c) in file parameters successfully accessing files outside the web root
• HTTP responses containing sensitive file contents (e.g., /etc/passwd, C:\Windows\win.ini, web.config, .env files)
• Different response sizes/status codes when valid vs invalid paths are requested, indicating path resolution occurs
• Error messages revealing absolute file paths (FileNotFoundError: /var/www/../../etc/shadow) or "file not found" for system files
• Timing differences when accessing existing vs non-existing files outside allowed directories

The scanner confirmed exploitability by observing that user-controlled file paths led to unauthorized file access - evidenced by actual file content in HTTP responses or distinctive error patterns.

Key DAST evidence:

• Response body contains /etc/passwd content after requesting ?file=../../etc/passwd
• Status code 200 for /download?file=..%2f..%2fetc%2fpasswd vs 404 for random paths
• Error messages showing resolved absolute paths
• Different content lengths for ?path=../../../etc/hosts vs ?path=random.txt

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

When reviewing your security scan results, you'll see:

HTTP Request Details

• URL and endpoint that triggered the finding
• HTTP method (GET, POST, etc.)
• Query parameters or form data with test payloads
• Request headers and body content

HTTP Response Evidence

• Response showing the vulnerability manifestation
• Evidence of improper handling or injection
• Runtime behavior indicators

Attack Vector

• Which parameter or input is vulnerable
• Type of exploitation possible
• Context where the vulnerability appears

Mapping DAST Findings to Source Code

Find the Vulnerable Endpoint

Use the HTTP request URL to locate the code:

# Search for the URL path in your codebase
grep -r "/download" src/
grep -r "route.*download" src/

Locate the Route Handler

Common patterns to search for:

• Python Flask/Django: @app.route('/download'), path('download/', ...)
• Node.js Express: app.get('/download', ...), router.get('/download', ...)
• Java Spring: @GetMapping("/download"), @RequestMapping("/download")
• ASP.NET: [Route("download")], MapRoute("download", ...)
• PHP: $_GET['file'], route definitions in routing files

Find the Parameter Handling

Search for the vulnerable parameter name:

# Find where the parameter is accessed
grep -r "request.args.get('file')" src/     # Python Flask
grep -r "req.query.file" src/               # Node.js
grep -r "@RequestParam.*file" src/          # Java Spring
grep -r "Request.QueryString['file']" src/  # ASP.NET
grep -r "$_GET['file']" src/                # PHP

Trace to Vulnerable Operation

Look for where the parameter is used in:

• File system access operations
• Path construction with user input
• File reading/writing operations
• Directory traversal checks

Remediation

Core principle: Never allow untrusted input to directly control filesystem paths or resource locations; map external identifiers to server-controlled paths and enforce canonical containment.

→ For comprehensive remediation guidance, see Static CWE-22 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

• C#
• Java
• JavaScript/Node.js

Verification and Follow-Up Testing

After applying the fix:

Reproduce the Vulnerability

# Use curl to replay the exact request
curl "http://localhost:3000/download?file=../../etc/passwd"

# Or use browser DevTools Network tab to copy as cURL

Verify the Fix

• Confirm path normalization and containment checks prevent access outside the allowed directory (not just simple .. filtering)
• Verify files outside allowed directory cannot be accessed
• Test that normalized paths are within allowed boundaries

Test Edge Cases

# Traversal variations
/download?file=../../etc/passwd
/download?file=....//....//etc/passwd
/download?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd

Re-run DAST Scanner

Run your dynamic scanner again on the fixed endpoint to confirm remediation.

Additional Resources

• CWE-22 Prevention
• CWE-22: Path Traversal
• OWASP Path Traversal
• OWASP Top 10 2025 A01: Broken Access Control
• OWASP ZAP Path Traversal
• Portswigger Directory Traversal