Path traversal is an application attack where an adversary manipulates file path input (often using sequences like ../) to access files outside the intended directory, exposing sensitive or unencrypted data on the server.
Path traversal (also called directory traversal) is an attack that tricks an application into reading or writing files it was never supposed to touch. Web apps often pull files based on user input, like loading report.pdf from a downloads folder. If the app doesn't check that input, an attacker can type something like ../../etc/passwd instead. Those ../ sequences mean "go up one folder," so the app climbs out of its safe directory and hands over system files.
This is a classic example of what happens when developers don't validate user input (EK 5.1.B.2). The attacker isn't breaking encryption or guessing a password. They're just feeding the app a sneaky file path through an open-ended input field, and the app obeys. If those files are unencrypted, the adversary can read them outright (EK 5.1.A.1), and if access control is weakly configured, even more files are exposed (EK 5.1.A.3).
Path traversal lives in Unit 5, Topic 5.1 (Application and Data Vulnerabilities and Attacks), and it's a textbook case for [AP Cybersecurity 5.1.B], which asks you to explain how application attacks exploit vulnerabilities. It also ties into [AP Cybersecurity 5.1.A] because the whole point of the attack is reading files the adversary shouldn't reach. When you assess risk under [AP Cybersecurity 5.1.C], path traversal is a confidentiality threat: it lets unauthorized people see sensitive data. The big theme is that attacks like this exist because input wasn't checked, not because the encryption was weak.
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryDirectory Traversal (Unit 5)
These are the same attack under two names. "Directory" and "path" both refer to where a file lives, so if you see one term on the exam, treat it exactly like the other.
Data Validation (Unit 5)
Path traversal works only when an app skips checking user input. Data validation is the fix: confirm the input is a real, expected filename before the app uses it, and the ../ trick stops working.
SQL Injection (Unit 5)
SQL injection and path traversal are cousins. Both feed malicious text into an open-ended input field that the app trusts too much. One targets the database query, the other targets the file path, but the root cause is the same missing input check.
Data at Rest (Unit 5)
Path traversal hits data at rest, the files sitting on the server's drive. EK 5.1.A.1 says unencrypted files are readable by anyone with access, so encrypting data at rest blunts the damage even if the traversal succeeds.
Expect path traversal in multiple-choice questions that describe a web app pulling files based on user input, then ask what an attacker could exploit. The right answer usually points to missing input validation. You might also see a scenario with ../ characters in a URL or input field; recognize that as the attack signature. On free-response style risk questions tied to [AP Cybersecurity 5.1.C], be ready to label this a confidentiality risk and recommend two defenses: validate user input and encrypt files at rest. No released FRQ uses the term verbatim, but it fits the kind of application-vulnerability analysis Topic 5.1 rewards.
Both abuse unchecked user input, but they aim at different targets. Path traversal manipulates a file path to read files outside the allowed folder. SQL injection slips extra commands into a database query to read or change database records. If the attack is about files and folders, it's traversal; if it's about database tables, it's SQL injection.
Path traversal lets an attacker use file path input, often with ../ sequences, to access files outside the directory an app was supposed to use.
The root cause is missing input validation, which is exactly what EK 5.1.B.2 warns about.
It's primarily a confidentiality risk under [AP Cybersecurity 5.1.C] because it exposes sensitive files to unauthorized people.
Path traversal and directory traversal are two names for the same attack.
Two defenses to know: validate the user's input and encrypt files at rest so stolen files aren't readable.
It's an application attack where an adversary feeds a manipulated file path (like ../../etc/passwd) into an app's input, making the app read files outside its intended folder. It works because the app didn't validate the input.
Yes. They're two names for the identical attack. "Path" and "directory" both refer to a file's location, so on the AP exam, treat them as interchangeable.
Both exploit unchecked user input, but path traversal targets the file system to read files, while SQL injection targets a database to read or alter records. Files and folders means traversal; database queries means SQL injection.
Validate user input so the app only accepts expected, legitimate filenames, and configure strong access controls. Encrypting data at rest also limits the damage, since EK 5.1.A.1 notes that unencrypted files are readable by anyone who reaches them.
It fits Unit 5, Topic 5.1, and supports learning objectives 5.1.A, 5.1.B, and 5.1.C. Expect it in multiple-choice scenarios about web apps that load files from user input, where the answer hinges on missing input validation.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.