Hackzzz - The Notebook

File path traversal, traversal sequences stripped with superfluous URL-decode

https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode

Level: Practitioner

This challenge is simple, just URL encode ../../../etc/passwd.

The server does not interpretate the URL encode so that's why we are able to bypass this.

PreviousFile path traversal, traversal sequences stripped non-recursively NextFile path traversal, validation of file extension with null byte bypass

Last updated 1 year ago