Characters allowed in path traversal

Check which characters are allowed inside a path traversal and the URL still traverses

Created by: joaxcar

Created on: Monday, August 26, 2024 at 8:20:34 PM

Updated on: Thursday, November 21, 2024 at 7:58:20 AM

Vector type: JS

Vector charset: UTF-8

Template used:
new URL("https://x.se/long/..$[chr]/a").pathname.length > 4 ? false : log($[i])

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

new URL("https://x.se/long/.. /a").pathname.length > 4 ? false : alert(9)new URL("https://x.se/long/..#/a").pathname.length > 4 ? false : alert(35)new URL("https://x.se/long/..//a").pathname.length > 4 ? false : alert(47)new URL("https://x.se/long/..?/a").pathname.length > 4 ? false : alert(63)new URL("https://x.se/long/..\/a").pathname.length > 4 ? false : alert(92)

Fuzz results

Firefox 129.0 desktop macOS 10.15

Updated

Mon Aug 26 2024

Found 5 results

Show differences only?

Filter out alphanumeric

Sort ascending

Safari 17.4.1 desktop macOS 10.15.7

Updated

Mon Aug 26 2024

Found 5 results

Show differences only?

Filter out alphanumeric

Sort ascending

Chrome 127.0.0.0 desktop macOS 10.15.7

Updated

Mon Aug 26 2024

Found 5 results

Show differences only?

Filter out alphanumeric

Sort ascending