← Benteng/case studies
OWASP A01 · Broken Access ControlCWE-22 Path TraversalHigh

Path traversal — ../ into arbitrary file read

User-controlled filenames with ../ escape the intended directory and read system files.

What happened

Path traversal (CWE-22) is one of the most actively exploited classes of 2025, showing up in file-download and template endpoints. A `?file=../../../../etc/passwd` reads outside the intended folder because the app joins user input to a base path without normalizing.

The code

✕ VulnerablePath traversal
app.get("/download", (req, res) => {
  res.sendFile(path.join(BASE, req.query.file));  // ../ escapes BASE
});
✓ FixedPath traversal
app.get("/download", (req, res) => {
  const full = path.resolve(BASE, req.query.file);
  if (!full.startsWith(BASE + path.sep)) return res.sendStatus(400);
  res.sendFile(full);   // resolve, then confirm it's still under BASE
});
→ Detect this class with Attacker vs defender

References

Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.