// THREAT DETECTION AND DATA PRIVACY TERM
Directory Traversal
Directory traversal is a web security attack where an intruder manipulates a website's URL to access files and directories stored outside the intended web root folder. By using sequences like "../", the attacker can move up the directory tree and potentially read sensitive system files.
TECHNICAL DEFINITION
A Directory Traversal, also known as a Path Traversal or dot-dot-slash attack, is a web security vulnerability that enables an attacker to gain unauthorized access to the file system. The exploit involves manipulating file path inputs using special character sequences like '../' to navigate outside the web server's root directory, thereby allowing retrieval of sensitive configuration files, source code, or system credentials.
BACKGROUND
Kaseya Limited is an information technology company headquartered in Miami. Kaseya develops software for network monitoring, system monitoring, and other information technology applications, selling primarily to managed service providers (MSPs) and internal IT departments. MSPs, which provide outsourced IT services to small and medium businesses, use Kaseya products in their companies and resell the products to their customers. Kaseya is majority-owned by private equity firm Insight Partners and owns the naming rights to the Miami Heat arena, Kaseya Center. It was founded in 2000. A ransomware attack on Kaseya VSA software caused downtime for some Kaseya customers and downstream organizations in July 2021.
READ MORE ON WIKIPEDIASYNONYMS & ALIASES
- Path Traversal
- dot-dot-slash attack
- directory climbing
- backtracking
- file path injection
- ../ (dot-dot-slash)
USAGE NOTE
This attack is commonly tested for by security professionals when assessing web applications that handle user-supplied input to access files.
DEVELOPERS
Organizations developing technology related to Directory Traversal.
Creator of Burp Suite, a leading platform for web application security testing. Its scanner is widely used by security professionals to automatically and manually discover vulnerabilities, including directory traversal.
A non-profit organization focused on improving software security. They develop and maintain open-source tools like the Zed Attack Proxy (ZAP), which can scan web applications to find security flaws like path traversal.
Specializes in Dynamic Application Security Testing (DAST) through its Invicti and Acunetix products. Their technology automatically crawls and scans web applications to detect and confirm vulnerabilities like directory traversal.
Provides an application security testing platform that includes Static (SAST) and Interactive (IAST) analysis. Their tools scan source code and running applications to identify security vulnerabilities, including path traversal, early in the development cycle.
A web performance and security company that offers a Web Application Firewall (WAF). The WAF inspects HTTP/S requests and applies rule sets to block malicious patterns indicative of directory traversal attacks before they reach the server.
Offers a cloud-based application security platform that combines DAST, SAST, and Software Composition Analysis (SCA) to identify and help remediate flaws, including directory traversal vulnerabilities, across the software development lifecycle.
A cyber exposure company known for its Nessus vulnerability scanner. Its Tenable Web App Scanning product specifically tests web applications for a wide range of security issues, including the OWASP Top 10, which covers directory traversal.
Provides security data and analytics solutions. Their InsightAppSec product is a DAST tool that scans applications for vulnerabilities like directory traversal, while the Metasploit Framework is used by penetration testers to validate such findings.