cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Path traversal attempts signal illustration
Annotator trav

Path traversal attempts

Request paths/parameters resemble attempts to access files outside intended directories.

Attack family · Directory traversal and local file inclusion Phase · Exploit delivery Risk · High
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Directory traversal sequences in raw or encoded form
  • LFI-style payload construction in paths and parameters
  • Escape attempts out of intended web roots
Logic
  • The annotator scans for classic traversal syntax and keeps the strongest rule per request.
  • Encoded and raw traversal forms both count.
  • It is a specific exploit-family signal rather than a broad malformed-input category.
Attack Family
Directory traversal and local file inclusion
Phase · Exploit delivery Risk · High
Traversal is one of the cleanest exploit-family signals in web traffic. If it lands, the attacker moves from browsing the app to reading files the app was never meant to expose.
Damage Patterns
  • Successful traversal can reveal credentials, application secrets, source code, and host configuration.
  • It often becomes a bridge into deeper exploitation because file reads tell the attacker how the target is built.
Incident Lore
  • Traversal has powered everything from configuration theft to full remote compromise when sensitive files unlocked the next step.
  • Mass scan campaigns frequently include traversal because it is cheap to try and disproportionately rewarding when defenses are weak.
How To Read It
This is the cleanest signal for requests trying to reach files outside the allowed application path.
Defender Takeaway
This is not generic weird input. It is a direct attempt to step outside the intended file boundary.
Catalog Definition
Flags directory/path traversal indicators (e.g., patterns intended to escape a web root or reach system files). Used to explain suspicious path crafting commonly seen during reconnaissance. False positives can occur if user-supplied content legitimately contains traversal-like strings, so repetition and endpoint context matter.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W15
Lookback
30 days
Total matched
5603
Latest sample
Apr 05, 2026 • 21:27
Top rules
trav:sensitive_target · 9 trav:wrapper · 1
Top requester orgs
Hetzner Online GmbH · 8 Vietnam Posts and Telecommunications Group · 1 FBW NETWORKS · 1
Severity mix
34 · 9 30 · 1
Method mix
GET · 10
GET 404 34
Apr 05, 2026 • 21:27
/wp-config.php.dist
Path traversal / LFI indicator detected
IP 65.21.108.15 Subnet 65.21.108.0/24 Org Hetzner Online GmbH Country Finland Rule trav:sensitive_target
GET 404 34
Apr 05, 2026 • 21:27
/wp-config.php.orig
Path traversal / LFI indicator detected
IP 65.21.108.15 Subnet 65.21.108.0/24 Org Hetzner Online GmbH Country Finland Rule trav:sensitive_target
GET 404 34
Apr 05, 2026 • 21:27
/wp-config.php~
Path traversal / LFI indicator detected
IP 65.21.108.15 Subnet 65.21.108.0/24 Org Hetzner Online GmbH Country Finland Rule trav:sensitive_target
GET 404 34
Apr 05, 2026 • 21:27
/wp-config.php.swp
Path traversal / LFI indicator detected
IP 65.21.108.15 Subnet 65.21.108.0/24 Org Hetzner Online GmbH Country Finland Rule trav:sensitive_target
GET 404 34
Apr 05, 2026 • 21:27
/wp-config.php.save
Path traversal / LFI indicator detected
IP 65.21.108.15 Subnet 65.21.108.0/24 Org Hetzner Online GmbH Country Finland Rule trav:sensitive_target
GET 404 34
Apr 05, 2026 • 21:27
/wp-config.php.old
Path traversal / LFI indicator detected
IP 65.21.108.15 Subnet 65.21.108.0/24 Org Hetzner Online GmbH Country Finland Rule trav:sensitive_target
GET 404 34
Apr 05, 2026 • 21:27
/wp-config.php.bak
Path traversal / LFI indicator detected
IP 65.21.108.15 Subnet 65.21.108.0/24 Org Hetzner Online GmbH Country Finland Rule trav:sensitive_target
GET 404 34
Apr 05, 2026 • 21:26
/wp-config.php
Path traversal / LFI indicator detected
IP 65.21.108.15 Subnet 65.21.108.0/24 Org Hetzner Online GmbH Country Finland Rule trav:sensitive_target
GET 404 30
Apr 05, 2026 • 17:17
/test.php?%EF%BF%BDd+cgi.force_redirect=0+%EF%BF%BDd+cgi.redirect_status_env+%EF%BF%BDd+allow_url_include%3D1+%EF%BF%BD…
Path traversal / LFI indicator detected
IP 14.180.135.172 Subnet 14.180.135.0/24 Org Vietnam Posts and Telecommunications Group Country Vietnam Rule trav:wrapper
GET 301 34
Apr 05, 2026 • 15:04
/%EF%BF%BD%EF%BF%BD.env
Path traversal / LFI indicator detected
IP 185.177.72.38 Subnet 185.177.72.0/24 Org FBW NETWORKS Country France Rule trav:sensitive_target