Common Path Traversal in Stock Trading Apps: Causes and Fixes

Path traversal, also known as directory traversal, occurs when an application improperly validates user‑supplied file paths. In a stock trading app the risk surface includes:

February 11, 2026 · 4 min read · Common Issues

What causes path traversal in stock trading apps (technical root causes)

Path traversal, also known as directory traversal, occurs when an application improperly validates user‑supplied file paths. In a stock trading app the risk surface includes:

All of these scenarios stem from the same root cause: trusting user input to construct a filesystem path without validation, canonicalisation, or permission checks.

Real-world impact (user complaints, store ratings, revenue loss)

When path traversal is exploitable, the fallout is immediate and measurable:

5‑7 specific examples of how path traversal manifests in stock trading apps

1. Statement PDF Download

A user requests a monthly statement via GET /statements?file=statement_2023.pdf. The backend does new File(baseDir, request.getParameter("file")). An attacker can request /statements?file=../../../etc/passwd and read system files.

2. Avatar Upload Bypass

The avatar upload endpoint accepts multipart/form-data with a filename field. The code saves to uploads/{userId}/avatar.jpg. If the attacker sets userId to ../admin via a manipulated session token, the file lands outside the user‑specific directory.

3. Market Data Cache Poisoning

The app caches price snapshots in cache/market/{symbol}.json. A malicious request to GET /cache?symbol=..%2F..%2Fapp%2Fconfig.json can overwrite the configuration file, allowing an attacker to inject false price feeds.

4. Debug Log Exposure

A hidden debug endpoint /debug/logs?file=error.log reads logs from logs/. By supplying file=../../secrets/api_keys.txt, an attacker extracts encrypted API keys used for exchange connectivity.

5. KYC Document Retrieval

After uploading a scanned ID, the app serves the file via /kyc/{userId}/{docName}. If docName is URL‑decoded after being concatenated, ..%2F bypasses the directory restriction and returns another user’s document.

6. Historical Data Export

The export feature builds a ZIP archive containing historical trades. It uses ZipOutputStream with entries built from user‑provided period parameter. An attacker can embed paths like ../../../tmp/evil.sh inside the ZIP, leading to arbitrary file write on the device.

7. Third‑Party SDK Configuration

A third‑party payment SDK reads its configuration from data/data/com.trading.app/files/sdk_config.xml. The trading app passes user‑controlled configId to the SDK without validation, allowing traversal to overwrite the SDK’s certificate store.

How to detect path traversal (tools, techniques, what to look for)

How to fix each example (code-level guidance where applicable)

1. Statement PDF Download


String requested = request.getParameter("file");
Path base = Paths.get(STMT_DIR).toAbsolutePath();
Path target = base.resolve(requested).normalize();
if (!target.startsWith(base)) {
    throw new SecurityException("Invalid file request");
}
Files.copy(target, response.getOutputStream());

Use Path.resolve and normalize. Ensure the resolved path starts with the base directory.

2. Avatar Upload Bypass


String userId = session.getUserId(); // server‑side only
Path uploadDir = Paths.get(UPLOAD_ROOT, userId).toAbsolutePath();
String filename = Paths.get(originalFilename).getFileName().toString(); // strip directory
Path target = uploadDir.resolve(filename).normalize();
if (!target.startsWith(uploadDir)) {
    rejectUpload();
}
Files.copy(inputStream, target);

Never trust the filename; extract only the basename.

3. Market Data Cache Poisoning


String symbol = request.getParameter("symbol");
if (!symbol.matches("[A-Z0-9_-]+")) {
    rejectRequest();
}
Path cacheDir = Paths.get(CACHE_DIR).toAbsolutePath();
Path target = cacheDir.resolve(symbol + ".json").normalize();
if (!target.startsWith(cacheDir)) {
    rejectRequest();
}

Apply strict whitelist validation on symbols.

4. Debug Log Exposure

Remove debug endpoints from production builds. If required, enforce role‑based access control and validate the file parameter against a allow‑list of known log files:


List<String> allowed = List.of("error.log","access.log");
if (!allowed.contains(request.getParameter("file"))) {
    throw new IllegalArgumentException("Log file not allowed");
}

5. KYC Document Retrieval

Use a mapping table that stores the relationship between user IDs and document IDs in a database. Serve files via a random UUID name stored server‑side; never expose the original filename:


String docId = request.getParameter("docId");
String storedPath = docStore.getPath(userId, docId); // internal mapping
Path target = Paths.get(storedPath).toAbsolutePath();

Test Your App Autonomously

Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts.

Try SUSA Free