Security Test: Directory traversal¶
Description¶
Default Severity:
Directory traversal allows an attacker to manipulate file paths so that they’re able to access files outside the intended directory. It happens when a web application doesn’t properly check or sanitize file path inputs, which means an attacker can trick it into revealing sensitive files like configuration or system information. This is dangerous because it can expose details that could be used to further penetrate the system or compromise data. Developers often make the mistake of assuming input is safe, which is why it's important to validate and restrict what file paths can be accessed.
Reference:
Configuration¶
Identifier:
injection/directory_traversal
Examples¶
All configuration available:
checks:
injection/directory_traversal:
skip: false # default
options:
skip_objects: # cf. Options below
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
skip_objects | List[string] | List of object that are to be skipped by the security test. |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API10:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.1 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-6 |
| CWE | 551 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 7.2 |