Imperva's just published web application attack report (3.46MB PDF) contains something of a surprise. For some time now, it's been the case that XSS (cross-site scripting) attacks were the most popular, having overtaken SQL injection. Not any more. They have been edged out, at least where implicated in application attacks, by a narrow margin of 37% to 36% (SQLi remaining at 23%), by new kid Directory Traversal.
The Four Main Attack Types
(from Imperva’s Web Application Attack Report Edition #1 - July 2011)
What is it? Essentially finding a way to pass-through the sequence of characters that represents the command “traverse upward to the parent directory”, into one of the vulnerable application's file APIs. Such a vulnerability can be present because of either insufficient security validation, or else insufficient sanitising of a user-provided input selecting a particular file name or path. The result of a Directory Traversal attack is exposure to the attacker, of the contents of files and folders not intended to be thus accessible.
Obviously the severity of the attack depends upon the nature of the exposed material. Favourite targets include such particularly sensitive files content as users' personal account information, system metadata, and so on. The technique itself of course is not new, only its paramount popularity.
Imperva Web Application Attack Report Edition #1 (July 2011):