A penetration tester alters the "file" parameter in a web application (e.g., view?file=report.txt) to ../../../../etc/passwd and successfully accesses restricted system files. What attack method does this scenario illustrate?
A.
Conduct a brute-force attack to obtain administrative credentials
B.
Use directory traversal sequences in URL parameters to retrieve unauthorized system content
C.
Inject malicious scripts into web pages to manipulate content via XSS vulnerabilities
D.
Exploit buffer overflow issues by injecting oversized data in HTTP request headers
CEH v13 explains that directory traversal (also called path traversal) occurs when an application improperly handles user-supplied input used for file path generation. Attackers exploit this by inserting traversal sequences such as ../ beyond the intended directories, gaining access to sensitive files like /etc/passwd, configuration data, or source code. The vulnerability arises from missing input validation and failure to restrict file access to safe directories. CEH stresses that directory traversal is common in file handling functions such as view, download, or include operations. Brute-forcing credentials (Option A) is unrelated. XSS (Option C) targets script injection into web pages, not file access. Buffer overflow (Option D) manipulates memory, not file paths. Therefore, the scenario represents classic directory traversal exploitation.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit