What is an HTTP exploit that allows attackers to access restricted directories and execute commands outside of the root directory of the web server?

The HTTP exploit that allows attackers to access restricted directories and execute commands outside of the root directory of the web server is known as “directory traversal.” This type of attack exploits insufficient security validation or sanitization of user-supplied file names, enabling attackers to access files and directories that are stored outside the web root folder.

By manipulating variables that reference files with “dot-dot-slash (../)” sequences and similar constructs, attackers can move up the directory hierarchy and access files or directories that should be inaccessible from the web. This can lead to information disclosure, website defacement, or server compromise.

The other options mentioned serve different purposes:

• XSS (Cross-Site Scripting): This is an attack that injects malicious scripts into otherwise benign and trusted websites.
• Web Redirection: This involves redirecting a user from one web page to another, which can be used maliciously but is not specifically related to accessing restricted directories.
• HTTP 302 Cushioning: This term does not correspond to a recognized web security vulnerability. HTTP 302 is a standard response code indicating URL redirection.
• iFrames: While iFrames can be used in some types of attacks (like clickjacking), they are not used for directory traversal attacks.