File Path Traversal Testing

What it does

This skill enables AI agents to systematically test web applications for file path traversal vulnerabilities by injecting malicious directory traversal sequences into input fields. It verifies whether an application improperly handles user-supplied file paths, potentially allowing attackers to access sensitive files outside the intended directory structure.

When to use it

• Assessing file upload endpoints to ensure they restrict uploads to safe directories.
• Validating search or filter parameters that accept file names or paths from users.
• Auditing dynamic report generation features that construct file paths based on user input.
• Performing security regression testing after deploying new file handling logic.

Key capabilities

• Injects directory traversal payloads (e.g., ../, ..\\) into application inputs.
• Monitors HTTP responses for unauthorized file access indicators like 200 OK with sensitive content.
• Identifies missing input sanitization or improper canonical path resolution in backend code.
• Reports specific vulnerable parameters and the exact payload that triggered the issue.

Example prompts

• "Test the /api/upload endpoint for file path traversal vulnerabilities using common payloads."
• "Scan the search parameter of the report generator to see if it allows accessing files outside the data directory."
• "Simulate a file path traversal attack on the user profile download feature and report findings."

Tips & gotchas

Ensure you have explicit authorization before testing, as this skill can expose sensitive data if vulnerabilities exist. Always run these tests in isolated environments or with proper sandboxing to prevent accidental data leakage during development.