Skip to content

CWE-35: Path Traversal (Absolute Path)

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application accepted HTTP requests containing absolute path specifications in file-related parameters, allowing access to files outside the intended directory by bypassing relative path restrictions. DAST tools identify this by:

Detection Methods:

  • Submitting absolute Unix paths (/etc/passwd, /etc/shadow) in file parameters
  • Submitting Windows drive-letter paths (C:\Windows\win.ini, D:\secrets\data.txt)
  • Testing UNC paths (\\server\share\file.txt) on Windows systems
  • Monitoring for successful file retrieval indicated by known file content in responses
  • Observing different response sizes, timing, or HTTP status codes for valid vs. invalid absolute paths

HTTP Evidence:

  • Response bodies containing recognizable system file content (e.g., /etc/passwd format, Windows INI structure)
  • HTTP 200 status for absolute paths that should be restricted
  • Error messages revealing filesystem structure ("File not found: C:\...", "/etc/...")
  • Content-Length headers revealing file sizes matching system files
  • Different response timing for existing vs. non-existing absolute paths

Scanner Behavior: OWASP ZAP (Active Scan Rule 6) and PortSwigger Burp Scanner test absolute paths across platforms, monitoring for successful file access. Payloads include /etc/passwd, C:\boot.ini, /proc/self/environ, and UNC paths. Detection relies on response content analysis, error message patterns, and behavioral differences.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

When reviewing your security scan results, you'll see:

HTTP Request Details

  • URL and endpoint that triggered the finding
  • HTTP method (GET, POST, etc.)
  • Query parameters or form data with test payloads
  • Request headers and body content

HTTP Response Evidence

  • Response showing the vulnerability manifestation
  • Evidence of improper handling or injection
  • Runtime behavior indicators

Attack Vector

  • Which parameter or input is vulnerable
  • Type of exploitation possible
  • Context where the vulnerability appears

Mapping DAST Findings to Source Code

Find the Vulnerable Endpoint

Use the HTTP request URL to locate the code:

# Search for file serving endpoints
grep -r "/download" src/
grep -r "/file" src/
grep -r "open(" src/
grep -r "readFile" src/

Locate File Access Code

Common patterns to search for:

  • Python: open(filename), os.path.join()
  • Node.js: fs.readFile(), path handling
  • Java: new File(), Files.readAllBytes()
  • PHP: fopen(), file_get_contents()
  • ASP.NET: File.ReadAllText(), file I/O

Find Path Construction

Search for file path handling:

# Find file operations
grep -r "open.*req" src/
grep -r "readFile.*param" src/
grep -r "File(.*param" src/

Trace to Vulnerable Operation

Look for absolute path usage:

  • No path validation: Absolute paths accepted (/etc/passwd)
  • Windows paths: C:\, D:\ not blocked
  • UNC paths: \\server\share paths allowed
  • Symlink following: Following symbolic links outside base
  • Missing canonicalization: Not resolving to real path

Remediation

Core principle: Never allow untrusted input to specify absolute or root-anchored paths; all filesystem access must be resolved relative to a server-controlled base directory and verified for canonical containment.

→ For comprehensive remediation guidance, see Static CWE-35 Guidance

Language-Specific Guidance

Verification and Follow-Up Testing

After applying the fix:

Reproduce the Vulnerability

# Test absolute path access
curl "http://localhost/download?file=/etc/passwd"
curl "http://localhost/view?path=C:\\Windows\\System32\\config\\SAM"

# UNC paths
curl "http://localhost/file?name=\\\\server\\share\\secrets.txt"

Verify the Fix

  • Confirm absolute, drive-letter, and UNC paths are rejected after normalization, and only canonical paths under the allowed base directory are permitted.
  • Verify paths resolved to canonical form
  • Check files restricted to specific directory
  • Ensure UNC/network paths blocked
  • Test symlinks cannot escape base directory

Test Edge Cases

# Absolute Unix paths
/download?file=/etc/passwd
/download?file=/etc/shadow
/download?file=/root/.ssh/id_rsa

# Absolute Windows paths
/download?file=C:\\Windows\\win.ini
/download?file=D:\\secrets\\passwords.txt

# UNC paths
/download?file=\\\\192.168.1.1\\share\\data

# Mixed
/download?file=/var/www/../../../etc/passwd

# Or use browser DevTools Network tab to copy as cURL

Re-run DAST Scanner

Run your dynamic scanner again on the fixed endpoint to confirm remediation.

Additional Resources