0

I was reading about testing against directory traversal on this website: https://wiki.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)

And at the end it says

Testing for the flaw is achieved by:

file=....//....//boot.ini 
file=....\\....\\boot.ini 
file= ..\..\boot.ini

But what does ....\\ or ..../ actually achieve? Javas URI method "normalize()" does not care about it and when I try it on a Windows machine nothing happens.

Awkjand
  • 11
  • 2
  • This is not a test for the `URI.normalize()` method. The first line is a test input for the code sample just above: `filename = Request.QueryString(“file”); Replace(filename, “/”,”\”); Replace(filename, “..\”,””);` which is "normalized" to `..\..\boot.ini`. That clearly shows that the code sample just above does **not** protect against directory traversal attacks. – Thomas Kläger May 26 '20 at 13:47
  • Ah okay I misunderstood, thanks for the clarification. – Awkjand May 26 '20 at 14:01

0 Answers0