A directory traversal vulnerability (often referred to as path traversal ) can allow attackers to access files and directories that are stored outside the web root folder.
NOTE Directory traversal has many names, including dot-dot-slash, directory climbing, and backtracking.
It is possible to exploit path traversal vulnerabilities by manipulating variables that reference files with the dot-dot-slash ( ../ ) sequence and its variations or by using absolute file paths to access files on the vulnerable system. An attacker can obtain critical and sensitive information when exploiting directory traversal vulnerabilities.
The following are a few best practices for preventing and mitigating directory traversal vulnerabilities:
Cookie manipulation attacks are often referred to as stored DOM-based attacks (or vulnerabilities ). Cookie manipulation is possible when vulnerable applications store user input and then embed that input in a response within a part of the DOM. This input is later processed in an unsafe manner by a client-side script. An attacker can use a JavaScript string (or other scripts) to trigger the DOM-based vulnerability. Such scripts can write controllable data into the value of a cookie.
An attacker can take advantage of stored DOM-based vulnerabilities to create a URL that sets an arbitrary value in a user’s cookie.
NOTE The impact of a stored DOM-based vulnerability depends on the role that the cookie plays within the application.
TIP A best practice for avoiding cookie manipulation attacks is to avoid dynamically writing to cookies using data originating from untrusted sources.