HTTP requests containing path traversal sequences

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect HTTP requests containing path traversal sequences in the URL path or query string, including when the response is successful.

Strategy

This rule monitors OCSF HTTP requests for encoded and plain parent-directory traversal patterns, grouped by @ocsf.src_endpoint.ip.

Triage and response

  • Review whether traversal attempts reached sensitive files or APIs and whether responses leaked content.
  • If activity is malicious and unauthorized, consider blocking or rate limiting {{@ocsf.src_endpoint.ip}} and follow your incident response process.