If the application expects a specific set of pages (e.g., home , about , contact ), use a whitelist. For example:
Imagine a web application that loads page content based on a page parameter: -page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd
Below is a technical overview article discussing this type of web vulnerability, how it works, and how to prevent it. If the application expects a specific set of pages (e
In file systems, .. refers to the parent directory. By repeating this ( ../../../../ ), an attacker moves up from the web application's root directory to the system root. refers to the parent directory
The pattern -page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd (often appearing in logs as ?page=../../../../etc/passwd or encoded as ..%2F..%2F..%2F..%2Fetc%2Fpasswd ) is a textbook example of an attacker attempting to escape the intended website directory to access restricted system files, such as the Unix password file ( /etc/passwd ). 1. What is Directory Traversal?