Traverser is a Python-based utility for detecting Path Traversal vulnerabilities in web applications.
It automates payload injection and request handling to help identify improper file path validation.
- Automated Path Traversal vulnerability detection
- Custom wordlist support
- Concurrent HTTP requests
- Flexible payload placement
- Support for custom HTTP headers
- Python 3.13.1 or newer
git clone https://github.com/ethercod3/traverser.git
cd traverser
python -m venv .venvWindows
.venv\Scripts\activateLinux / macOS
source .venv/bin/activatepip install -r requirements.txtpython traverser.py \
-u "https://localhost:8000/image?filename={INSERT_PAYLOAD}" \
-t /etc/passwd \
-p "{INSERT_PAYLOAD}" \
-sr 5| Short | Long | Required | Description | Default |
|---|---|---|---|---|
-u |
--url |
Yes | Target URL | — |
-t |
--target |
Yes | Target file path on the server | — |
-w |
--wordlist |
No | Path to payload wordlist | ./default.wordlist |
-h |
--header |
No | Additional HTTP header(s) | — |
-sr |
--simultaneous-requests |
No | Maximum number of concurrent requests | 1 |
-p |
--place |
No | Payload placeholder string | <> |
-ss |
--success-statuses |
No | Successfull HTTP statuses | 200-400 |
-v |
--verbose |
No | Display verbose info | False |
-h "Authorization: Bearer TOKEN" \
-h "X-Custom-Header: value"-ss "200-202" \
-ss "302"Second number of the range is excluded. Result status codes will be (200, 201, 302)