Is this considered directory traversal?


So I’m currently testing a site that has a url like this

I found that I can do to get to the home page

or I can read files like the CSS for another page

NOTE: The company’s policy states that a researcher can only go to the minimal amount of testing required to prove that a vulnerability, so I don’t want to try accessing the passwd file or any other sensitive file that isn’t already public. I also tried but it seems to check if the URL is local so that doesn’t work. Would what I found be considered directory traversal?


No, this would not be directory traversal, as you are not proving that you have access anything that’s restricted.


Please refer to the OWASP page for this kind of attack