IIS 403 Directory Traversal Detection

WebServerErrors IIS Directory Traversal

What This Means

Detect directory traversal attacks in IIS logs. Learn to identify path traversal sequences (../) that attempt to access files outside the web root for data exfiltration.

Example Log

2026-03-08 18:12:33 W3SVC1 WEB01 10.0.1.50 GET /images/..%2f..%2f..%2fetc/passwd - 443 - 198.51.100.88 Mozilla/5.0 - 403 0 0 156

Indicators of Suspicious Activity

Request URIs containing encoded traversal sequences (%2e%2e%2f, ..%5c, %252e%252e)
Requests targeting system files (/etc/passwd, /windows/system.ini, web.config)
Double-encoding attempts to bypass WAF rules (%%32%65 for .)
Path traversal combined with null byte injection (%00) to truncate file extensions
Repeated traversal attempts with increasing depth levels (../../, ../../../)
403 or 400 responses to traversal attempts indicating the server blocked them

How to Investigate

Search IIS logs for URL-encoded traversal patterns in cs-uri-stem and cs-uri-query
Decode the URL encoding to reveal the actual paths being targeted
Check if any traversal attempts resulted in 200 responses (successful exploitation)
Identify the target files the attacker is trying to access
Review IIS Request Filtering rules to ensure traversal sequences are blocked
Test your application for path traversal vulnerabilities

Recommended Mitigations

Enable IIS Request Filtering to reject requests containing ../ and ..\ sequences
Validate and sanitize all file path inputs in application code
Use chroot-style isolation or application sandboxing
Deploy a WAF with path traversal detection rules including double-encoding detection
Ensure the IIS application pool identity has minimal file system permissions
Regularly scan your application with DAST tools for path traversal vulnerabilities

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 3 + 1?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What is a directory traversal attack? ▼

Directory traversal (also called path traversal) exploits insufficient input validation to access files outside the intended directory. Attackers use sequences like ../ or ..%2f to navigate up the directory tree and read sensitive files.

Does IIS block directory traversal by default? ▼

IIS Request Filtering blocks basic ../ sequences by default, but attackers use double-encoding, Unicode, and other bypass techniques. You need defense in depth with WAF rules and application-level validation.

What files do attackers target with directory traversal? ▼

Common targets include /etc/passwd (Linux), web.config, .env files, database configuration files, application source code, and any file containing credentials or sensitive configuration.