Full Path Disclosure

Full Path Disclosure refers to being able to see the full path of something hosted on the server. It’s often, but not always, the location of the script itself.

What can happen?

The information exposed is most often rather harmless, but may aid in other attacks such as Local File Inclusion. For example, the path may expose which CMS it's running, what web server the site is using and/or other sensitive information.

Example of Full Path Disclosure

Many server errors include the full path by default. An attacker can often force a server error in multiple ways, albeit two of the most common are PHP Null Session and Empty Array.

PHP Null Session

You can read about PHP Null Session here.

Empty Array

Say we had a page like this:

Now, if we turn the string page into an array instead, we will force PHP to generate an error that will disclose the location path of the script:

More examples

More examples can be found at OWASP.

Common False Positive

When a path is embedded in a blog or forum post, we will mark it as a vulnerability even though it’s just a text string. We’ve discussed this internally multiple times, but decided that an effort to try and filter out these findings would result in too many overlooked vulnerabilities. However, if you mark the finding as “accepted risk” or “false positive”, we will try to automatically filter it out for you in future scans so you won’t be bothered by it anymore.


Make sure no auto-generated errors are shown to the end user and don’t include the path in your own customized ones.


Related articles