Bypassing Filter to Traversal Attacks
If your initial attempts to perform a traversal attack, as described previously, are unsuccessful, this does not mean that the application is not vulnerable. Many application developers are aware of path traversal vulnerabilities and implement various kinds of input validation checks in an attempt to prevent them. However, those defenses are often flawed and can be bypassed by a skilled attacker.
The first type of input filter commonly encountered involves checking
whether the filename parameter contains any path traversal sequences, and if so, either rejects the request or attempts to sanitize the input to remove the sequences. This type of filter is often vulnerable to various attacks that use alternative encodings and other tricks to defeat the filter. These attacks all exploit the type of canonicalization problems faced by input validation mechanisms
Always try path traversal sequences using both forward slashes and
backslashes. Many input filters check for only one of these, when the file system may support both.
Try simple URL-encoded representations of traversal sequences, using
the following encodings. Be sure to encode every single slash and dot
within your input:
forward slash %2f