Directory Traversal Attack Logs

AttackPatterns Web Application Directory Traversal / LFI

What This Means

Detect directory traversal and local file inclusion attacks across web platforms. Learn to identify path traversal patterns in access logs and protect sensitive server files.

Example Log

-- Access log showing traversal across platforms:
198.51.100.88 "GET /download?file=../../../etc/passwd HTTP/1.1" 200 1847
198.51.100.88 "GET /include.php?page=....//....//etc/shadow HTTP/1.1" 403 156
198.51.100.88 "GET /view?doc=%252e%252e%252fetc%252fpasswd HTTP/1.1" 400 0
198.51.100.88 "GET /api/file?path=C:%5c..%5c..%5cwindows%5csystem.ini HTTP/1.1" 403 0

Indicators of Suspicious Activity

Path sequences ../ or ..\ (and URL-encoded variants) in any URL parameter
Requests targeting known sensitive files across operating systems
Double-encoding (%252e) and Unicode encoding to bypass input filters
Null byte injection (%00) to truncate file extensions
PHP wrapper abuse (php://filter, php://input, data://) in file parameters
Successful (200) responses to traversal requests indicating exploitation

How to Investigate

Search all access logs for traversal patterns using regex (URL-decoded)
Catalog all endpoints that accept file path parameters
Check response codes — 200 responses to traversal indicate successful exploitation
If 200 found, determine what file contents were exposed
Review application code for vulnerable file inclusion or file read operations
Check for evidence of follow-up attacks leveraging disclosed information

Recommended Mitigations

Never use user input directly in file path construction
Implement allowlists of permitted file names or paths
Use chroot or containerization to restrict file system access
Deploy WAF rules detecting traversal patterns including encoded variants
Set restrictive file permissions on the web server process
Regularly scan applications for path traversal with DAST tools

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 6 + 5?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What is the impact of a successful directory traversal? ▼

Attackers can read any file the web server process has permission to access: configuration files with database credentials, private keys, password files, application source code, and system configuration.

How do attackers bypass traversal filters? ▼

Common bypasses: double-encoding (%252e%252e), Unicode variants, mixed path separators (..\..//), null bytes (%00), and OS-specific tricks like ....// which becomes ../ after basic filter removal.

What is the difference between LFI and RFI? ▼

Local File Inclusion (LFI) reads files from the server itself using traversal paths. Remote File Inclusion (RFI) includes files from external URLs, enabling remote code execution. RFI requires specific server configurations.