Path Traversal Exploit: Bypassing Filters Using Superfluous URL- Decoding

Hacker2255Hacker2255
2 min read

Introduction

Path traversal is a vulnerability that allows attackers to access files outside the intended directory by manipulating file paths. Developers often try to prevent it by filtering path traversal sequences (e.g., ../). However, some applications apply superfluous URL -decoding, which can be exploited to bypass these protections.

In this blog, we’ll explore how to exploit a path traversal vulnerability where traversal sequences are stripped but decoded before processing.

Understanding the Vulnerability

What is Path Traversal?

Path traversal allows an attacker to access arbitrary files on a server by manipulating file paths. A common attack targets the /etc/passwd file on Linux servers using:

/image?file=../../etc/passwd

But developers often block ../ to prevent this.

what is Superfluous URL -Decoding?

URL -encoding is used to encode special characters in URLs.

  1. . becomes %2e

  2. / becomes %2f

  3. ../ becomes %2e%2e%2f

If an application blocks ../ but then decodes input before processing, we can bypass the filter by double encoding our payload:

%252e%252e%252f —> URL -decoded —> %2e%2e%2f —> URL -decoded ../

This results in a valid traversal sequence!

Exploiting the Lab

Step 1: Identifying the Vulnerability

  1. The application takes a file parameter to load images.

  2. It blocks ../ but decodes input before using it.

  3. we suspect double encoding can bypass the filter.

Step 2: Crafting the payload

We double encode ../ to bypass filtering:

%252e%252e%252f

So, our final payload to access /etc/passwd is:

/image?file=%252e%252e%252f%252e%252e%252fetc/passwd

Step 3: Sending the Request

Use Burp Suite or a browser to send the request. If successful, it will return the content of /etc/passwd.

Mitigation

Developers can prevent this attack by:

  1. Normalizing input before processing (e.g., decoding only once).

  2. Restricting file access to necessary directories.

  3. Using allowlists (permit only expected file names).

  4. Validating encoding to detect multiple URL -decode attempts.

Conclusion

  1. Path traversal can be bypassed using double encoding if URL -decoding is applied.

  2. Superfluous URL -decoding can introduce security risks.

  3. Proper input validation and access controls are crucial to preventing these attacks.

0
Subscribe to my newsletter

Read articles from Hacker2255 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#Cybersecurity#Path Traversal

Written by

Hacker2255
Hacker2255