How to handle dot dot /../ in url in web app

Question

I have a link to resource

http://example.com/category/id/../test1.html

when I request this resource, on the server I see url without escaped id and double /../ dots

I try to catch these dots in global.asax Application_BeginRequest, in custom modules, in IIS logs, result is the same url is without id and /../

http://example.com/category/test1.html

At which level I can extract id?

what is the web browser/client you are using to make a request? — Viktor Mukhachev, Apr 16 '20 at 14:29

score 0 · Answer 1 · answered Jan 16 '19 at 06:22

0

As far as I know, if we use ../ in the url this means parent path, so the browser will auto generate the new url instead of the old one. This browser action, we couldn't modify it by using url rewrite or something else, since the url come to the server has alread been modified.

In my opinion, the only way to get the ID is you should modify the url format or encode the url.

answered Jan 16 '19 at 06:22

Brando Zhang

22,586
6
37
65

thanks for your answer, but I can infirm this, I use Burp https://portswigger.net/burp, to track all request from my device, and in list of request I can see clear first type of request, where is located /id/../page.html – Alex Jan 16 '19 at 08:12
I have used fiddler to capute the request, it will auto modify the url in the browser like [this](https://i.stack.imgur.com/f9MJI.png). – Brando Zhang Feb 14 '19 at 05:34

How to handle dot dot /../ in url in web app

1 Answers1