forum

home / developersection / forums / how do you identify and prevent directory traversal attacks in file uploads?

Ask Question

How do you identify and prevent directory traversal attacks in file uploads?

Ravi Vishwakarma 95 18-May-2025

How do you identify and prevent directory traversal attacks in file uploads?

c# c#  file handling 
Updated on 23-May-2025
Ravi Vishwakarma

Ravi Vishwakarma

Follow

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Can you answer this question?
Answer

1 Answers

Anubhav Kumar

Anubhav Kumar

23-May-2025

Directory traversal attacks (also known as path traversal) aim to access files and directories outside the intended file system structure by manipulating file paths (e.g., using ../ to escape the intended directory). Preventing such attacks in file uploads is critical.

Here’s how to identify and prevent directory traversal in file uploads:

1. Understanding the Attack

Example

POST /upload
filename=../../../../etc/passwd

If the server directly uses this filename, it may write to a sensitive path or overwrite system files.

Prevention Techniques

1. Never Trust User Input for File Paths

Always treat uploaded filenames as untrusted input.

2. Sanitize the Filename

Strip or reject any path-related characters like ../, \, /, null bytes, etc.

Example in C#:

string fileName = Path.GetFileName(uploadedFile.FileName); // strips path

Example in Python:

import os
file_name = os.path.basename(uploaded_file.filename)  # safe filename

3. Use a Safe Upload Directory

Ensure uploaded files are stored in a dedicated directory:

/uploads/user-content/

Do not store uploads in root, config, or executable directories.

4. Enforce File Name Policies

  1. Use a whitelist of allowed characters.
  2. Replace user-supplied names with UUIDs or safe generated names:
var safeFileName = Guid.NewGuid().ToString() + Path.GetExtension(fileName);

5. Validate File Type and Size

  1. Check file extensions (.jpg, .pdf, etc.)
  2. Use MIME type verification and file signature checks (e.g., magic numbers)
  3. Limit file size to prevent DoS

6. Prevent Null Byte Injection

Some languages (e.g., older PHP versions) are vulnerable to null byte injections (%00) which can terminate strings early.

  • Validate and sanitize string input to remove %00 or \0

Additional Hardening

  1. Server-Side Access Control - Ensure the web server does not allow access to the upload directory for direct execution (e.g., disable .php or .exe from running).
  2. Chroot or Containerize Uploads - Use sandboxing techniques (e.g., Docker, chroot) to isolate file upload processing.

Detection (Logging and Monitoring)

  1. Log all uploaded filenames and paths.
  2. Flag suspicious patterns like ../, ..%2F, \..\, %5C, or Unicode variants.
  3. Monitor for unusually structured or nested paths.

Summary Checklist

Security Step Implemented?
Strip path components from filename Yes
Store in a fixed safe directory Yes
Replace filename with UUID Yes
Validate file type and size Yes
Prevent null byte injections Yes
Disable code execution in upload dir Yes

 

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy