---
title: "What is a directory traversal attack?"
page_name: "Directory traversal"
type: "glossary"
slug: "directory-traversal"
published_at: "2025-02-17"
modified_at: "2026-02-11"
url: "https://www.sumologic.com/glossary/directory-traversal"
canonical: "https://www.sumologic.com/glossary/directory-traversal"
markdown_url: "https://www.sumologic.com/glossary/directory-traversal.md"
lang: "en"
excerpt: "Explore what directory traversal attacks are, how they're triggered, their vulnerabilities, and examples. Learn how Sumo Logic’s cloud-native comprehensive platform helps your team make data-driven decisions and streamline the security investigation process of your networks."
---

[Glossary](/glossary)# Directory traversal

 [A](/glossary#A)

 [B](/glossary#B)

 [C](/glossary#C)

 [D](/glossary#D)

 [E](/glossary#E)

 [F](/glossary#F)

 [G](/glossary#G)

 [H](/glossary#H)

 [I](/glossary#I)

 [J](/glossary#J)

 [K](/glossary#K)

 [L](/glossary#L)

 [M](/glossary#M)

 [N](/glossary#N)

 [O](/glossary#O)

 [P](/glossary#P)

 [Q](/glossary#Q)

 [R](/glossary#R)

 [S](/glossary#S)

 [T](/glossary#T)

 [U](/glossary#U)

 [V](/glossary#V)

 [W](/glossary#W)

 [X](/glossary#X)

 [Y](/glossary#Y)

 [Z](/glossary#Z)

##### Table of contents

 

 

 

## What is a directory traversal?

A directory traversal is an HTTP attack that allows attackers to gain access to restricted files. Directory traversal attacks, also known as path traversal, are some of the most common and dangerous attacks that businesses will see.

Key takeaways

- Directory traversal vulnerabilities are enabled by insufficient sanitation, filtration and security of system files or parts of system files.
- When a directory traversal attack is performed, it is usually done by traversing the root directory, which gives the attacker access to specific restricted files.
- Even with all of the preventative measures in place, there will always be a chance that attackers get through to your directories and compromise your networks.
- Sumo Logic’s cloud-native, comprehensive platform helps your team make data-driven decisions and streamline the security investigation process of your networks.

## How do directory traversal attacks work?

Securing and running web servers is imperative to the efficacy of any organization, and understanding how directory traversals work in preparation for an attack is the only way to prevent and mitigate vulnerabilities.

The root directory is the top-level directory of a file system, which contains all other directories and files in the system. In other words, the directory structure’s starting point defines the location of files, the file path and directories within the file system. In the context of directory traversal attacks or path traversal attacks, the root directory is the starting point that attackers usually traverse to gain unauthorized access to sensitive files and directories on a web server.

Directory traversal vulnerabilities are enabled by insufficient sanitation, filtration and security of system files or parts of system files. A security vulnerability can be found directly within server files or through application code carried out on a web server.

A directory traversal vulnerability, or path traversal vulnerability, gives attackers access to sensitive data that could lead to other attacks within a system. Most attacks are made against or through the root directory, essentially the parameters that users on a server are confined to. When a directory traversal attack, or path traversal attacks, is performed, it is usually done by traversing the root directory, which gives the attacker access to specific restricted files and sensitive information.

These attacks can be made both through a file system vulnerability in the web server or the application code. Attackers exploit these vulnerabilities, submitting URLs that notify the system to send files back to the application. Windows or DOS traversals use the “..\\” or “../” patterns to retrieve certain files from a directory, and attackers will repeat the command until they’ve retrieved the intended files. They can then use these files to compromise a system further.

Below, we’ll get into what some directory traversal attacks might look like.

## Directory traversal attack examples

This first example from the [Open web Application Security Project](https://owasp.org/www-community/attacks/Path_Traversal) (OWASP) shows vulnerabilities in an application’s handling of resources:````

`http://some_site.com.br/get-files.jsp?file=report.pdf```

`http://some_site.com.br/get-page.php?home=aaa.html```

`http://some_site.com.br/some-page.asp?page=index.html`````

Attackers can then insert their root directory patterns to traverse the directory and gain access to new files.````

`http://some_site.com.br/get-files?file=../../../../some dir/some file```

`http://some_site.com.br/../../../../some dir/some file`

````These attacks can compromise systems, sensitive files, and server data.

Attackers can also go after vulnerabilities within the webserver. It would look something like this:````

`http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php`

Although there are other types of attacks, these are the two most common that security teams and organizations will encounter and the two types of traversal attacks you want to be most prepared for.

## How do you know if a system has been targeted by a directory traversal attack?

Identifying a directory traversal attack can be challenging, as it can be designed to mimic legitimate requests and vary in complexity. However, some common signs that a directory traversal attack may have targeted your system include:

1\. **Unusual or unexpected file access or modification**: An absolute file path is a complete file or directory path that describes the precise location of a file or directory in a file system. If you notice that files or directories have been accessed or modified without your knowledge or permission, it could be a sign of a directory traversal attack.

2\. **Suspicious or unexpected URLs**: A traversal sequence is a series of characters or strings that an attacker uses to navigate through a file system and access files outside of the web server’s root directory. Look for directory traversal sequences with unusual patterns, such as “../” or “../../”, commonly used in directory traversal attacks.

3\. **Error messages or log files**: Check your web server error messages or [log files](http://www.sumologic.com/glossary/log-file) for any errors related to file access or directory traversal.

4\. Network traffic: Monitor your network traffic for any unusual or suspicious activity, such as a high volume of requests to a specific directory or file.

If you suspect that a directory traversal attack has targeted your system, it is important to take immediate action to prevent further damage. This may include isolating the affected system, performing a thorough security audit and implementing measures to prevent future attacks.

## Directory traversal mitigation and prevention

Before we get into how to mitigate a directory traversal, should you be on the receiving end of an attack, let’s cover how you can prevent attacks before mitigation becomes necessary.

A few things you can do to prevent directory traversal attacks/path traversal attacks include:

1\) Validate and sanitize all user input to ensure that it conforms to expected values and does not include any malicious directory traversal characters.

2\) Configure web servers and applications to restrict access to sensitive files and directories, and access controls should be implemented to ensure that only authorized users have access to sensitive data.

3\) Regular security testing, such as vulnerability scanning and [penetration testing](https://www.sumologic.com/blog/is-your-penetration-testing-weak/), can help identify and remediate any vulnerabilities in your system that may be exploited by path traversal attacks.

Even with all of the preventative measures in place, there will always be a chance that attackers will get through to your directories and compromise your networks. Read our [ultimate guide to modern ](https://www.sumologic.com/guides/siem/)[SIEM](https://www.sumologic.com/guides/siem) to learn how security information and event management can help minimize the impact of directory traversal attacks.

If you are on the receiving of a directory traversal attack, you can mitigate the damage by:

- Create an [incident response](http://www.sumologic.com/glossary/incident-response) plan so that when you do identify an attack, you’ll be prepared for it
- Understanding how your OS processes filenames
- Utilizing a security system that will automatically check for SQL injection, directory traversal and other directory vulnerabilities
- Take proactive mitigation efforts by [continuously monitoring](http://www.sumologic.com/glossary/continuous-monitoring) your network’s traffic

## How Sumo Logic can help

Sumo Logic’s [Cloud SIEM solution](http://www.sumologic.com/solutions/cloud-siem) helps your team make data-driven decisions and streamline the security investigation process of your networks by:

- Providing you with[ real-time analytics](http://www.sumologic.com/solutions/cloud-infrastructure-security) that help you identify and resolve potential cybersecurity threats
- Enabling your team with machine-learning algorithms provides you with 24/7 alerts and notifications
- Allowing you to easily customize your dashboards that align your teams by visualizing logs, metrics and performance data for full-stack visibility

Try a [free demo](https://www.sumologic.com/how-it-works/) to see how Sumo Logic can help you today.

### FAQs

 How can a SIEM solution enhance threat detection through log analysis?+A SIEM solution can enhance [threat detection and response](https://www.sumologic.com/glossary/threat-detection-response) by consolidating and analyzing log data from various sources, such as application logs, system logs, security logs and endpoint logs. This unified view of log data allows for real-time monitoring of security events, anomaly detection and correlation of incidents across the network.

 How can security analysts improve security posture through SIEM-log management?+Security teams can utilize [syslog](https://www.sumologic.com/syslog/) servers for SIEM-log file management. By configuring data sources to send their logs to a centralized syslog server, security teams can ensure that all relevant log information is aggregated in one location, allowing for easier monitoring and analysis. A syslog server can also support secure log transfer protocols to safeguard the integrity and confidentiality of log files, ensuring sensitive information is protected from unauthorized access or tampering.

 How can using a SIEM platform for log analysis and security monitoring help organizations meet compliance requirements?+SIEM platforms help organizations [ensure compliance](https://www.sumologic.com/app-catalog/pci-compliance) by centralizing and correlating log data from various sources to provide a unified view of security events. By [proactively monitoring](https://www.sumologic.com/blog/why-proactive-threat-hunting-is-a-necessity) and analyzing logs in real-time, SIEM solutions can detect and alert potential compliance violations, unauthorized access attempts or security policy breaches. SIEM platforms can also generate detailed reports and [audit trails](https://www.sumologic.com/glossary/audit-log) based on log data, facilitating compliance audits and demonstrating adherence to regulatory standards such as GDPR, [HIPAA](https://www.sumologic.com/glossary/hipaa), [PCI DSS](https://www.sumologic.com/glossary/pci-dss), and others.

 How do SIEM tools work?+SIEM delivers superior incident response and enterprise security outcomes through several key capabilities, including:

**Data collection** – SIEM tools aggregate event and system logs and security data from various sources and applications in one place.

**Correlation** – SIEM tools use various correlation techniques to link bits of data with common attributes and help turn that data into actionable information for SecOps teams.

**Alerting** – SIEM tools can be configured to automatically alert SecOps or IT teams when predefined signals or patterns are detected that might indicate a security event.

**Data retention** – SIEM tools are designed to store large volumes of log data, ensuring that security teams can correlate data over time and enabling forensic investigations into threats or cyber-attacks that may have initially gone undetected.

**Parsing, log normalization and categorization** – SIEM tools make it easier for organizations to parse through logs that might have been created weeks or even months ago. Parsing, log normalization and categorization are additional features of SIEM tools that make logs more searchable and help to enable forensic analysis, even with millions of log entries to sift through.

[AI Instructions](https://www.sumologic.com/ai-instructions.md)