Directory traversal vulnerabilities are present when a user may gain unauthorized access to files, e.g. by using path traversal operators such as ../.

Discovery

To find directory traversal vulnerabilities on a webpage, try fuzzing query parameters, especially when the value looks like a filename. A common technique is to add ../ and ..\ to the path to traverse the server filesystem.

Also see PHP wrapper trick (php://filter) when the trying to read files that may contain special characters (which may be misinterpreted when include() is used).

Exploitation

To attack a directory traversal vulnerability, simply load the desired file such as /etc/passwd. RCE is achievable when include() is used in the source and PHP wrapper (php://filter) can be used to load attacker-supplied plain text as a file.