Standardlikelihood: Highseverity: Very HighDraft

CAPEC-126Path Traversal

Abstraction
Standard
Status
Draft
Likelihood
High
Severity
Very High

Description

An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.

Related weaknesses· 1

CWE-22

Related attack patterns· 2

CAPEC-153 (ChildOf)CAPEC-664 (CanPrecede)

Exploits1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-22100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Relative Path Traversal
CAPEC
Absolute Path Traversal
CAPEC
DEPRECATED: Directory Traversal
CAPEC
File Manipulation
CAPEC
Directory Indexing
CAPEC
Symlink Attack
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.