Statements (68)
| Predicate | Object |
|---|---|
| gptkbp:instance_of |
gptkb:Common_Weakness_Enumeration
|
| gptkbp:affects |
Web servers
|
| gptkbp:associated_with |
gptkb:CWE-36
|
| gptkbp:can_detect |
Penetration testing.
|
| gptkbp:category |
File and Resource Management
|
| gptkbp:common_attack_vector |
Web applications.
|
| gptkbp:common_mitigation |
Use of secure coding practices.
|
| gptkbp:common_tools |
Burp Suite.
|
| gptkbp:common_vulnerabilities |
File inclusion vulnerabilities.
|
| gptkbp:consequences |
Loss of confidentiality.
|
| gptkbp:countermeasures |
Implement access controls.
|
| gptkbp:description |
A weakness that allows an attacker to access files and directories that are stored outside the intended directory.
|
| gptkbp:difficulty_levels |
gptkb:High
|
| gptkbp:environmental_initiatives |
Code review and testing.
|
| gptkbp:example |
Using '../' in a file path to access restricted files.
User uploads a file with a path traversal. |
| gptkbp:example_attack |
Directory traversal attack.
|
| gptkbp:example_detection |
Using fuzz testing.
|
| gptkbp:example_exploit |
Using a crafted URL.
|
| gptkbp:example_framework |
OWASP ASVS.
|
| gptkbp:example_incident |
Data breach due to path traversal.
|
| gptkbp:example_remediation |
Implementing input sanitization.
|
| gptkbp:example_security_best_practice |
Regular code reviews.
|
| gptkbp:example_security_control |
File access logging.
|
| gptkbp:example_security_framework |
CIS Controls.
|
| gptkbp:example_security_incident |
Unauthorized file access incident.
|
| gptkbp:example_security_measure |
Implementing least privilege.
|
| gptkbp:example_security_risk |
Increased attack surface.
|
| gptkbp:example_security_standard |
NIST Cybersecurity Framework.
|
| gptkbp:example_test_case |
Testing for path traversal.
|
| gptkbp:example_vulnerability |
Accessing configuration files.
|
| gptkbp:example_vulnerability_type |
Path traversal vulnerabilities.
|
| gptkbp:example_vulnerable_code |
PHP file inclusion.
|
| gptkbp:has_enemies |
Web applications
|
| gptkbp:has_weakness |
gptkb:CWE-73
|
| https://www.w3.org/2000/01/rdf-schema#label |
CWE-21
|
| gptkbp:impact |
Access to sensitive data.
Unauthorized file access |
| gptkbp:impact_severity |
Critical.
|
| gptkbp:investment |
Data breach
|
| gptkbp:is_referenced_in |
gptkb:OWASP_Top_Ten
|
| gptkbp:is_vulnerable_to |
Accessing sensitive files.
Exploitable in many scenarios. Input validation vulnerabilities. |
| gptkbp:issues |
Not sanitizing user input.
|
| gptkbp:name |
Path Traversal
|
| gptkbp:prevention |
Input validation
Sanitize file paths. |
| gptkbp:provides_support_for |
File storage systems.
|
| gptkbp:related_compliance |
PCI DSS.
|
| gptkbp:related_cwe |
gptkb:CWE-22
CWE-36, CWE-73. |
| gptkbp:related_to |
gptkb:CWE-22
|
| gptkbp:remediation_strategy |
Use of whitelisting.
|
| gptkbp:reports_to |
Sensitive information exposure
|
| gptkbp:security |
Data protection policy.
High risk of exploitation. ISO/ IEC 27001. Regular security audits. Web application firewalls. NIST SP 800-53. |
| gptkbp:security_best_practice |
Limit file access permissions.
|
| gptkbp:threats |
Data theft.
Malicious file access. |
| gptkbp:tool_support |
Static analysis tools.
|
| gptkbp:vulnerability_class |
Path manipulation.
|
| gptkbp:bfsParent |
gptkb:CWE-20
|
| gptkbp:bfsLayer |
7
|