Path Traversal

A Debian-first guide to detecting attempts to escape intended directories, reviewing sensitive file targeting, and reducing filesystem exposure in web applications.

What this is

Path traversal is an attack that attempts to access files outside the intended directory or web root by manipulating file paths. Attackers often use sequences like ../, encoded traversal strings, or alternate path syntax to reach sensitive files.

Common targets include application configs, environment files, SSH keys, passwd files, logs, backups, and source code.

What it looks like

Requests containing ../ or encoded traversal patterns
Attempts to access files like /etc/passwd, config files, or backups
Requests targeting download, export, attachment, or file-view endpoints
Repeated variations of the same path manipulation attempt

Detect

Review recent web service logs

sudo journalctl -u caddy --since "1 hour ago"

Search for common path traversal indicators

sudo grep -Ei "\.\./|%2e%2e|/etc/passwd|/proc/self|/root/|/home/" /var/log/caddy/*.log 2>/dev/null | tail -n 100

Review targeted parameterized file paths

sudo grep -Ei "file=|path=|download=|template=|doc=|view=" /var/log/caddy/*.log 2>/dev/null | tail -n 100

Count repeated client IPs

sudo awk '{print $1}' /var/log/caddy/*.log 2>/dev/null | sort | uniq -c | sort -nr | head

Review filesystem exposure near the application

sudo find /var/www -maxdepth 4 -type f | less

Contain

Block a clearly abusive source IP

sudo ufw deny from <IP_ADDRESS>

Temporarily restrict the affected endpoint if needed

# Limit or disable the vulnerable file-handling path while investigating

Remove publicly reachable sensitive files

sudo find /var/www -type f \( -name ".env" -o -name "*.bak" -o -name "*.old" -o -name "*.zip" \)

Recover

Review whether any targeted files were actually exposed

sudo find /var/www -type f | less

Inspect the application path handling logic

# Review how the application resolves user-supplied file paths

Check for follow-on activity after traversal attempts

sudo grep -Ei "Accepted|sudo|login|auth" /var/log/auth.log
sudo journalctl --since "24 hours ago"

Recovery means verifying whether traversal attempts stayed unsuccessful or whether they exposed real files, secrets, or application internals.

Prevent

Option 1 — Avoid unsafe path handling in the application

# Do not trust user-supplied file paths directly

Option 2 — Keep sensitive files out of the web root

sudo find /var/www -type f | less

Option 3 — Remove unnecessary backups and archives

sudo find /var/www -type f \( -name "*.bak" -o -name "*.old" -o -name "*.zip" \)

Option 4 — Review logs for traversal patterns regularly

sudo journalctl -u caddy --since "24 hours ago"

Option 5 — Keep the application stack updated

sudo apt update
sudo apt upgrade

Optional Tools & Hosting

Manual review of logs, file exposure, and application path handling should come first. Future recommendations may include tooling that improves visibility, but the best protection is keeping sensitive content out of reach and avoiding unsafe path resolution.

Notes

Path traversal usually targets secrets, configs, and internal files first.
The application layer matters more here than the Debian host alone.
Even failed attempts reveal what attackers think may be exposed.

Environment Note

All commands shown are based on Debian-based systems unless otherwise noted.