Statements (67)
| Predicate | Object |
|---|---|
| gptkbp:instance_of |
gptkb:Common_Weakness_Enumeration
|
| gptkbp:bfsLayer |
5
|
| gptkbp:bfsParent |
gptkb:CWE-20
|
| gptkbp:affects |
Web servers
|
| gptkbp:associated_with |
gptkb:CWE-36
|
| gptkbp:category |
File and Resource Management
|
| gptkbp:consequences |
Loss of confidentiality.
|
| gptkbp:countermeasures |
Implement access controls.
Use of secure coding practices. |
| gptkbp:defense_mechanism |
Web applications.
|
| gptkbp:difficulty |
gptkb:High
|
| gptkbp:enemy |
Web applications
|
| gptkbp:example |
Using '../' in a file path to access restricted files.
Data breach due to path traversal. Directory traversal attack. User uploads a file with a path traversal. Using a crafted URL. Using fuzz testing. |
| gptkbp:has_weakness |
gptkb:CWE-73
|
| https://www.w3.org/2000/01/rdf-schema#label |
CWE-21
|
| gptkbp:impact |
Critical.
Access to sensitive data. Unauthorized file access |
| gptkbp:investment |
Data breach
|
| gptkbp:is_a_framework_for |
OWASPASVS.
|
| gptkbp:is_a_tool_for |
Static analysis tools.
Burp Suite. |
| gptkbp:is_described_as |
A weakness that allows an attacker to access files and directories that are stored outside the intended directory.
|
| gptkbp:is_protected_by |
Input validation
Sanitize file paths. |
| gptkbp:is_referenced_in |
gptkb:API
|
| gptkbp:is_tested_for |
Testing for path traversal.
|
| gptkbp:is_vulnerable_to |
Accessing configuration files.
Accessing sensitive files. Exploitable in many scenarios. Input validation vulnerabilities. PHP file inclusion. Path manipulation. Path traversal vulnerabilities. |
| gptkbp:issues |
Not sanitizing user input.
|
| gptkbp:name |
Path Traversal
|
| gptkbp:recognizes |
Penetration testing.
|
| gptkbp:regulatory_compliance |
PCIDSS.
|
| gptkbp:related_to |
gptkb:CWE-22
CWE-36, CWE-73. |
| gptkbp:reports_to |
Sensitive information exposure
|
| gptkbp:restoration |
Implementing input sanitization.
Use of whitelisting. |
| gptkbp:security_features |
NIST Cybersecurity Framework.
CIS Controls. Data protection policy. File access logging. File inclusion vulnerabilities. High risk of exploitation. ISO/ IEC 27001. Implementing least privilege. Increased attack surface. Limit file access permissions. NISTSP 800-53. Regular code reviews. Regular security audits. Unauthorized file access incident. Web application firewalls. |
| gptkbp:supports |
File storage systems.
|
| gptkbp:sustainability_initiatives |
Code review and testing.
|
| gptkbp:threats |
Data theft.
Malicious file access. |