Characters allowed in path traversal
Check which characters are allowed inside a path traversal and the URL still traverses
Created by: joaxcar
Created on: Monday, August 26, 2024 at 8:20:34 PM
Updated on: Monday, September 16, 2024 at 4:40:07 PM
Vector type: JS
Template used:
new URL("https://x.se/long/..$[chr]/a").pathname.length > 4 ? false : log($[i])Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
new URL("https://x.se/long/.. /a").pathname.length > 4 ? false : alert(9)new URL("https://x.se/long/..#/a").pathname.length > 4 ? false : alert(35)new URL("https://x.se/long/..//a").pathname.length > 4 ? false : alert(47)new URL("https://x.se/long/..?/a").pathname.length > 4 ? false : alert(63)new URL("https://x.se/long/..\/a").pathname.length > 4 ? false : alert(92)Fuzz results
Chrome 127.0.0.0 desktop macOS 10.15.7
Found 5 results
| Dec | Hex | Chr |
|---|---|---|
| 9 | 09 | HT |
| Dec | Hex | Chr |
|---|---|---|
| 35 | 23 | # |
| Dec | Hex | Chr |
|---|---|---|
| 47 | 2f | / |
| Dec | Hex | Chr |
|---|---|---|
| 63 | 3f | ? |
| Dec | Hex | Chr |
|---|---|---|
| 92 | 5c | \ |
Firefox 129.0 desktop macOS 10.15
Found 5 results
| Dec | Hex | Chr |
|---|---|---|
| 9 | 09 | HT |
| Dec | Hex | Chr |
|---|---|---|
| 35 | 23 | # |
| Dec | Hex | Chr |
|---|---|---|
| 47 | 2f | / |
| Dec | Hex | Chr |
|---|---|---|
| 63 | 3f | ? |
| Dec | Hex | Chr |
|---|---|---|
| 92 | 5c | \ |
Safari 17.4.1 desktop macOS 10.15.7
Found 5 results
| Dec | Hex | Chr |
|---|---|---|
| 9 | 09 | HT |
| Dec | Hex | Chr |
|---|---|---|
| 35 | 23 | # |
| Dec | Hex | Chr |
|---|---|---|
| 47 | 2f | / |
| Dec | Hex | Chr |
|---|---|---|
| 63 | 3f | ? |
| Dec | Hex | Chr |
|---|---|---|
| 92 | 5c | \ |