Path Traversal

Path traversal attacks use sequences like `../../../` in file path parameters to escape your application's intended directory and read files anywhere on the server — including configuration files, environment variables, and private keys.

Think of it this way

Imagine your app lets users request a document by name: /files/report.pdf. A path traversal attacker instead requests /files/../../../etc/passwd — essentially saying 'go up three levels and give me the server's user account file'. If the application does not check what directory it ends up in, it obeys.

How it works

Any endpoint that accepts a filename or file path as input is potentially vulnerable. The attacker submits inputs like `../../etc/shadow`, `....//....//etc/passwd`, or URL-encoded variants (`%2e%2e%2f`). If the server constructs a file path using this input without sanitisation, it reads files outside the intended directory — potentially exposing the `.env` file with database passwords, SSL certificates, or application secrets.

Real-world scenarios

Scenario 1

Direct .env access via misconfigured server

A Node.js app uses `express.static('.')` — serving from the project root instead of a `public/` folder. An attacker simply requests `GET /.env` and receives the raw file: database URL, JWT secret, Paystack secret key, and every other credential the app uses. No path traversal tricks needed — the server hands it over willingly.

Scenario 2

Nginx not blocking dot-files

A startup deploys their API behind Nginx but forgets to add `location ~ /\. { deny all; }`. Attackers routinely probe `GET /.env`, `GET /.env.local`, `GET /.env.production`, and `GET /.git/config`. On this server, all four requests return 200 OK with the file contents.

Scenario 3

Path traversal via file parameter

An API endpoint accepts a filename to serve documents: `GET /api/files?name=report.pdf`. An attacker submits `name=../../.env` and the server walks up two directories and reads the environment file — exposing the database password and payment API keys in the response body.

Scenario 4

Source code theft

A file download endpoint is exploited with `../../app/index.js`, exposing the application's business logic, hardcoded secrets, and internal API structure — giving the attacker a full map of how the system works before their next move.

How Anomira detects this

Anomira flags two patterns: (1) requests to well-known sensitive paths like `/.env`, `/.env.local`, `/.env.production`, `/.git/config`, and `/etc/passwd` — these are never legitimate user requests; (2) path traversal sequences (`../`, `..\`, `%2e%2e%2f`, `....//`) in any query parameter or request body. Both patterns trigger an immediate alert regardless of whether the server returned the file.

What to do

Configure your web server to block all dot-file access: in Nginx, add `location ~ /\. { deny all; }` to every server block.
Serve static files from a dedicated `public/` directory — never from your project root where `.env` lives.
Never use user-supplied input directly in file path construction — always resolve and validate against a whitelist of allowed base directories.
Add `.env` to `.gitignore` and audit your repository history to ensure it was never accidentally committed.
Use a secrets manager (AWS Secrets Manager, Doppler, Vault) instead of `.env` files in production — secrets that don't exist on disk can't be stolen from disk.
Block IPs attempting these probes in Anomira immediately — scanning for `.env` files is never legitimate traffic.

Related attacks

Medium

Automated Scanner / Reconnaissance

A bot mapping your API looking for vulnerabilities to exploit later.

Critical

SQL Injection Probe

Inserting malicious code into inputs to manipulate or dump your database.

High

Cross-Site Scripting (XSS)

Injecting malicious scripts into your app to run in other users' browsers.

See this attack in your live API traffic

Anomira detects path traversal automatically — no configuration needed.

Start monitoring free Browse all attacks →