Apache Directory Traversal Attack Detection

WebServerErrors Apache Directory Traversal / LFI

What This Means

Detect directory traversal attacks in Apache access logs. Identify path traversal sequences targeting sensitive files and learn mitigation strategies for Apache web servers.

Example Log

198.51.100.88 - - [08/Mar/2026:18:30:15 +0000] "GET /images/../../../etc/passwd HTTP/1.1" 400 380 "-" "curl/7.68.0"

Indicators of Suspicious Activity

Request URIs containing ../ or encoded equivalents (%2e%2e%2f, %252e%252e)
Attempts to access /etc/passwd, /etc/shadow, or /proc/self/environ
Requests targeting Apache config files (httpd.conf, apache2.conf, .htpasswd)
Null byte injection attempts (%00) to bypass file extension validation
Traversal attempts combined with PHP wrappers (php://filter, php://input)
400 or 403 responses to traversal requests showing the server blocked them

How to Investigate

Search Apache access logs for path traversal patterns using regex
Decode URL-encoded characters to reveal actual traversal paths
Check if any traversal attempts received 200 responses (successful exploitation)
Identify the specific files the attacker is targeting
Review mod_security logs for corresponding rule triggers
Verify that Apache AllowOverride and Directory directives are restrictive

Recommended Mitigations

Ensure Apache is compiled and configured to prevent following symlinks outside doc root
Use mod_security with OWASP Core Rule Set for comprehensive traversal detection
Configure AllowOverride None for directories outside the web root
Implement input validation in application code for all file path parameters
Use open_basedir in PHP to restrict file access to the web directory
Regularly scan with OWASP ZAP or similar for path traversal vulnerabilities

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 4 + 7?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

How does directory traversal work against Apache? ▼

Attackers send requests with ../ sequences in the URL to navigate outside the web root directory. If Apache or the application does not properly validate the path, the attacker can read arbitrary files on the server.

Does mod_security protect against directory traversal? ▼

Yes. The OWASP ModSecurity Core Rule Set includes rules that detect and block directory traversal patterns, including encoded and double-encoded variations. Ensure mod_security is running in blocking mode.

What is the difference between LFI and directory traversal? ▼

Directory traversal is the technique of navigating the file system using ../ sequences. Local File Inclusion (LFI) is a vulnerability where the application includes a file based on user input. LFI often uses directory traversal as the exploitation method.