Question 9 - ECcouncil CHFI 312-49v10 Real Exam Questions [Feb 2026 Update]

Q: 9

Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration and critical system files, and to execute commands outside of the web server’s root directory?

Options

Discussion

Mason Jan 18, 2026 8:01 pm

That's directory traversal, so option C. This attack exploits path input to reach sensitive files beyond the web server root. I've seen similar questions in practice exams and it's always pointing to directory traversal for this scenario. Pretty sure about it but correct me if you see something I missed.

Hannah C. Feb 1, 2026 6:02 am

Don't think it's D like some say, that's a trap here. C fits since directory traversal is what actually gives access outside the web root.

Sean I. Jan 19, 2026 8:38 am

C . Directory traversal is the one that lets an attacker jump outside the web server's root and access system files using path tricks like ../. The others don't really match that scenario, right?

Sofia Z. Jan 19, 2026 3:52 am

D tbh

Ajay E. Jan 24, 2026 4:23 am

C imo, directory traversal is exactly for escaping the web root and grabbing sensitive files. The other options don't really let attackers go outside the intended folder structure. Pretty confident but open to other takes.

QuickReviewer3875 Jan 25, 2026 5:45 am

Call it C, I've seen similar on official practice and directory traversal is usually the right pick for accessing files outside webroot.

Sanjay S. Jan 22, 2026 10:37 pm

C for me. Directory traversal is the only one here that lets someone escape the web root and reach sensitive files by tampering with path inputs. Unvalidated input can lead to this, but directory traversal is the direct attack. Pretty sure that's what they're after, agree?

Morgan L. Jan 25, 2026 7:03 am

C not D. Security misconfig can be a trap here but directory traversal specifically lets attackers move outside the web root.

Ethan X. Jan 22, 2026 6:25 pm

Yeah C fits. Directory traversal lets attackers break out of the web root and grab files they shouldn't access, like configs or source code. The others don't really allow for that kind of direct file system access. Pretty confident about this one but open to corrections if anyone disagrees.

MethodicalMentor3826 Jan 15, 2026 6:15 pm

C, that's directory traversal for sure

Be respectful. No spam.

Correct Answer:

Explanation

Directory traversal, also known as path traversal, is a web security vulnerability that allows an attacker to read arbitrary files on the server running an application. This attack exploits insufficient security validation of user-supplied input for file paths. By manipulating variables that reference files with "dot-dot-slash" (../) sequences and its variations, an attacker can navigate out of the web root directory. This enables them to access sensitive files such as application source code, configuration files, and critical system files (e.g., /etc/passwd on Unix-like systems), which is the exact behavior described in the question.

Why Incorrect

A. Parameter/form tampering: This attack involves modifying parameters exchanged between client and server to change application data, such as prices or permissions, not to navigate the file system.

B. Unvalidated input: This is a general class of vulnerabilities. While directory traversal is a result of unvalidated input, it is not the specific attack itself. The question asks for the specific attack, making 'Directory traversal' the more precise answer.

D. Security misconfiguration: This refers to an insecure state of the system (e.g., default credentials, improper permissions) that might enable an attack, but it is not the attack technique itself.

References

1. MITRE, Common Weakness Enumeration (CWE). (2023). CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory." Retrieved from https://cwe.mitre.org/data/definitions/22.html

2. OWASP Foundation. (n.d.). Path Traversal. "Path traversal (also known as directory traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application... By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code or configuration and critical system files." Retrieved from https://owasp.org/www-community/attacks/PathTraversal

3. Pell, D., & Zand, A. (2021). A review of web application security vulnerabilities and countermeasures. International Journal of Computer Science and Information Security (IJCSIS), 19(5), 1-10. In Section III, Part A, the paper describes Directory Traversal as an attack where "an attacker can gain access to files and directories that are stored outside the web root folder... by manipulating variables that reference files with 'dot-dot-slash (../)' sequences."

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE