/Code Review/Path Traversal Double Encoding Bypass

Path Traversal Double Encoding Bypass

Bypassing path traversal filters using double URL encoding.

HIGHHard

Vulnerable Codepython

1from flask import Flask, request, send_file
2from urllib.parse import unquote
3import os
4
5app = Flask(__name__)
6
7@app.route('/download')
8def download():
9    filename = request.args.get('file', '')
10    
11    # Decode URL encoding
12    filename = unquote(filename)
13    
14    # Check for path traversal
15    if '..' in filename:
16        return "Invalid path", 400
17    
18    filepath = os.path.join('/var/uploads', filename)
19    return send_file(filepath)

Understanding the Issue

Double encoding (%252e = %2e after first decode = . after second) bypasses filters that check after only one decode. Always validate the final resolved path.

Double URL Encoding

Encode dots and slashes twice to bypass filters

Malicious Input

%252e%252e%252f = ../ (double encoded)
%252e = %2e (after 1st decode) = . (after 2nd)
..%c0%af = ../ (overlong UTF-8)

Impact

Bypasses filter, accesses /etc/passwd

Technical Details

Vulnerability Type: Path Traversal (Double Encoding)
Severity: HIGH
Language: Python
CWE: CWE-22
OWASP: A01:2021 - Broken Access Control

Path Traversal Double Encoding Bypass

Understanding the Issue

How Attackers Exploit This

Double URL Encoding

Finding the Vulnerability(3 hints)

Technical Details

Path Traversal Double Encoding Bypass

Understanding the Issue

How Attackers Exploit This

Double URL Encoding

Finding the Vulnerability(3 hints)

Technical Details