A directory traversal, path traversal, or dot-dot-slash attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's file system API. An affected application can be exploited to gain unauthorized access to the file system.

A typical example of a vulnerable application in PHP code is:

An attack against this system could be to send the following HTTP request:

The server would then generate a response such as:

The repeated ../ characters after /home/users/phpguru/templates/ have caused include() to traverse to the root directory, and then include the Unix password file /etc/passwd.

Unix /etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords. However, in more recent Unix systems, the /etc/passwd file does not contain the hashed passwords, and they are instead located in the /etc/shadow file, which cannot be read by unprivileged users on the machine. Even in that case, though, reading /etc/passwd does still show a list of user accounts, which could then become a starting point for further attacks.

Another example is the "Zip Slip" vulnerability that affects several archive file formats like ZIP.

Directory traversal in its simplest form uses the ../ pattern. Some common variations are listed below: