Directory traversal in AP Cybersecurity

Directory traversal is an application attack where an adversary manipulates file path input (like ../) to access files and folders outside the directory the app is supposed to serve, exploiting weak input checks and weak access control settings.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is directory traversal?

Directory traversal (also called path traversal) is when an attacker tricks a web application into handing over files it was never supposed to share. Web apps often take user input to decide which file to load, like report.pdf. If the app doesn't check that input, an attacker can type something like ../../etc/passwd and walk backward up the folder tree to grab sensitive system files.

The ../ sequence means "go up one folder." Stack enough of them and you climb out of the app's designated directory and into the rest of the file system. This is a classic application vulnerability under [AP Cybersecurity 5.1.B]: the app takes open-ended input through a field but fails to verify it matches what's expected. It also ties into [AP Cybersecurity 5.1.A] because weak access control settings (EK 5.1.A.3) and unencrypted files (EK 5.1.A.1) make those out-of-bounds files readable once the attacker reaches them.

Why directory traversal matters in AP Cybersecurity

Directory traversal lives in Unit 5: Securing Applications and Data, specifically topic 5.1. It supports [AP Cybersecurity 5.1.B] (how application attacks exploit vulnerabilities) and [AP Cybersecurity 5.1.A] (how adversaries exploit file vulnerabilities to cause loss or disruption). The reason it matters for the exam is the CIA triangle from [AP Cybersecurity 5.1.C]: directory traversal is primarily a confidentiality attack because it lets an unauthorized person read files they shouldn't see. If those files are governed by laws (think PII, PHI, or PCI data), that's exactly the high-risk scenario EK 5.1.C.2 describes.

Keep studying AP Cybersecurity Unit 5

How directory traversal connects across the course

Data validation and input sanitization (Unit 5)

Directory traversal works because the app skips the input check from EK 5.1.B.2. Validating that the input is an expected filename, and sanitizing out ../ sequences, is the direct fix. Same root cause as injection attacks, different payload.

SQL injection and XSS (Unit 5)

All three are the same family: untrusted user input the app trusts when it shouldn't. SQL injection targets a database query, XSS targets the browser, and directory traversal targets the file system. Recognize the pattern and you can sort any of them on the exam.

Access control and elevated privileges (Unit 5)

EK 5.1.A.3 says weak access control settings let too many users read sensitive files. Directory traversal exploits exactly that. If the server account running the app has broad file permissions, the attacker inherits that reach once they escape the app's folder.

Data at rest and PII/PHI/PCI (Unit 5)

The files a traversal attack steals are data at rest. If they're unencrypted (EK 5.1.A.1) and contain regulated data like PII, PHI, or PCI, the confidentiality breach jumps to high risk under EK 5.1.C.2.

Is directory traversal on the AP Cybersecurity exam?

Expect directory traversal in multiple-choice questions that describe a web app loading a file based on unchecked user input, then ask you to name the attack or its missing defense. The practice-question pattern is consistent: an app "fails to validate" or "fails to check" input, and you pick either the attack (directory traversal, SQL injection, XSS) or the missing control (input sanitization, data validation). On free-response, you'd analyze a scenario for vulnerability and risk: identify that unchecked file-path input is the flaw, that confidentiality is the compromised CIA element, and that validating or sanitizing input is the mitigation. Tie your answer back to the specific essential knowledge (5.1.B for the input flaw, 5.1.A for the file access, 5.1.C for the risk).

Directory traversal vs SQL injection

Both come from trusting unchecked user input, but they hit different targets. SQL injection inserts malicious characters into a database query (like ' OR '1'='1) to dump records. Directory traversal inserts path characters (like ../) to read files off the server's disk. If the scenario mentions a database query, it's SQLi; if it mentions reading files or folders, it's traversal.

Key things to remember about directory traversal

  • Directory traversal lets an attacker use file-path tricks like ../ to read files outside the folder a web app is supposed to serve.

  • It exists because the app fails to validate or sanitize file-path input, the same root cause behind SQL injection and XSS.

  • It's primarily a confidentiality attack under the CIA triangle, since it exposes files unauthorized users should never see.

  • Risk spikes when the stolen files are unencrypted and contain regulated data like PII, PHI, or PCI (EK 5.1.C.2).

  • The fix is input validation and sanitization plus tight access control so the app account can't reach sensitive files.

Frequently asked questions about directory traversal

What is directory traversal in AP Cybersecurity?

It's an application attack where an adversary manipulates file-path input, often with ../ sequences, to access files outside the directory the app should serve. It maps to topic 5.1 and exploits the missing input check described in EK 5.1.B.2.

Is directory traversal the same as SQL injection?

No. Both abuse unchecked user input, but SQL injection alters a database query to leak records, while directory traversal manipulates a file path to read files off the server's disk. The clue is the target: database means SQLi, files or folders means traversal.

Why is directory traversal a confidentiality problem and not integrity?

Because the attacker is reading files they aren't authorized to see, which breaks confidentiality under EK 5.1.C.1. Integrity would mean altering data; traversal's main damage is unauthorized access to existing files.

How do you prevent a directory traversal attack?

Validate and sanitize user input so the app rejects path characters like ../, and configure tight access controls so the app's account can't reach sensitive files in the first place. This combines the defenses from EK 5.1.B.2 and EK 5.1.A.3.

Is directory traversal an injection attack?

Not in the strict sense the exam uses for injection (SQL injection is the classic injection example). But it belongs to the same broader family: untrusted user input the app trusts when it shouldn't. Watch the wording in MCQ stems to pick the precise term.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.