Directory traversal uses ../ sequences to navigate outside intended directories and read unauthorized files — potentially exposing /etc/passwd, config files, or source code.
Prevention: input validation, canonicalize paths before validation, chroot jails. A WAF can block ../ patterns. Affects any web app that constructs file paths from user input.