Testing for directory traversal vulnerabilities with Burp Suite
Last updated: September 14, 2023
Read time: 2 Minutes
Directory traversal vulnerabilities (also known as file path vulnerabilities) allow an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.
You can use Burp to test for these vulnerabilities:
- Use Burp Scanner to automatically flag potential directory traversal vulnerabilities.
- Use Burp Intruder to insert a list of directory traversal fuzz strings into a request. The strings may enable you to read arbitrary files on the server.
You can follow this process using the File path traversal, traversal sequences stripped with superfluous URL-decode lab from our Web Security Academy.
Scanning for directory traversal vulnerabilities
If you're using Burp Suite Professional, you can use Burp Scanner to test for directory traversal vulnerabilities:
- In Proxy > HTTP history, identify a request that you want to investigate.
- Right-click the request and select Do active scan. Burp Scanner audits the request.
- Review the Issue activity panel on the Dashboard to identify any directory traversal issues that Burp Scanner flags.
Fuzzing for directory traversal vulnerabilities
You can alternatively use Burp Intruder to test for directory traversal vulnerabilities. This process also enables you to closely investigate any issues that Burp Scanner has identified:
- In Proxy > HTTP history identify a request you want to investigate.
- Right-click the request and select Send to Intruder.
- Go to the Intruder tab.
- Highlight the parameter that you want to test and click Add § to mark it as a payload position.
Go to the Payloads tab. Under Payload Settings [Simple list] add a list of directory traversal fuzz strings:
- Click Start attack. The attack starts running in a new dialog. Intruder sends a request for each fuzz string on the list.
- When the attack is finished, study the responses to look for any noteworthy behavior. For example, look for responses with a longer length. These may contain data that has been returned from the requested file.
Was this article helpful?
An error occurred, please try again.