EncryptCodecencryptcodec
Simulations/Path Traversal

Path Traversal

Intermediate

Escape the web root using ../ sequences to read arbitrary server files. Enable naive string filtering and watch it fail against URL encoding — then apply the proper fix.

Progress:
1
Basic Path Traversal
2
Bypass the String Filter
3
Apply the Proper Fix
⚡ Request
GET /download?file=
Idle
🛡 Server Protection
Response log — GET /download
Waiting for request…

Challenges

1
Basic Path Traversal
Request `../../../etc/passwd` with no protections. You should see the contents of /etc/passwd.
hints
2
Bypass the String Filter
Enable 'Block ../' protection, then use URL encoding to bypass it.
hints
3
Apply the Proper Fix
Enable `path.basename()` protection. Now both attacks are blocked.
hints
How to fix path traversal
basename, resolve-and-check, and allowlists

Frequently Asked Questions