Index

BYPASSING FILTER TO TRAVERSAL ATTACKS

The first type of input filter commonly encountered involves checking

whether the filename parameter contains any path traversal sequences, and if so, either rejects the request or attempts to sanitize the input to remove the sequences. This type of filter is often vulnerable to various attacks that use alternative encodings and other tricks to defeat the filter. These attacks all exploit the type of canonicalization problems faced by input validation mechanisms

Always try path traversal sequences using both forward slashes and

backslashes. Many input filters check for only one of these, when the file system may support both.

Try simple URL-encoded representations of traversal sequences, using

the following encodings. Be sure to encode every single slash and dot

Within your input:

dot                    %2e

forward slash          %2f

backslash              %5c

Try Using 16-Bit Unicode–Encoding:

dot                    %u002e

forward slash          %u2215

backslash              %u2216

Try Double URL–Encoding:

dot                    %252e

forward slash          %252f

backslash              %255c

Try Overlong UTF-8 Unicode–Encoding:

dot                    %c0%2e       %e0%40%ae    %c0ae etc.

forward slash          %c0%af       %e0%80%af      %c0%2f etc.

backslash              %c0%5c       %c0%80%5c      etc.