Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration and critical system files, and to execute commands outside of the web server's root directory?

Directory traversal vulnerabilities arise when a web application constructs a file path from user input without proper validation, allowing an attacker to escape the intended directory and reach restricted areas. By using sequences that move up the directory tree (such as ../), the attacker can navigate outside the web root to access sensitive files like application source code, configuration files, or critical system data. In some setups, if the server uses the provided path to include or process a file, this can also lead to unintended code execution or loading of arbitrary files, effectively letting the attacker run or influence what the server handles outside its normal boundaries. This focus on how file paths are resolved and restricted is what makes directory traversal the best fit for this scenario. Other issues like unvalidated input or parameter tampering describe broader input problems or tampering with data, while security misconfiguration refers to wrong server settings—none of these specifically capture the path-resolving weakness that directory traversal exploits. Mitigation involves strict validation and canonicalization of paths, enforcing a safe base directory, using allowlists, disabling directory listings, and restricting file permissions.