Java Path Traversal Unvalidated Pathparam
Description
Detects path traversal vulnerabilities in Java JAX-RS web applications where unvalidated @PathParam parameters could be used to access files outside intended directory. This vulnerability could allow attackers to read or traverse arbitrary files on the server by manipulating path parameters in REST API endpoints.
Detection Strategy
• Checks if JAX-RS framework (javax.ws.rs) is imported in the Java application
• Identifies method parameters annotated with @PathParam that receive user input from URL path segments
• Reports a vulnerability if these path parameters are used without proper validation before accessing files or resources
• Focuses on REST API endpoint methods where path parameters flow into file operations or resource access
Vulnerable code example
import java.io.File;
import java.io.FileInputStream;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
@Path("/files")
public class FileAccessServlet {...✅ Secure code example
import java.io.File;
import java.io.FileInputStream;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.core.Response;
import org.apache.commons.io.FilenameUtils;
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.