Dot (.) Does Matter for Cross platform Application

Recently, my network software encountered strange security issues. The vulnerability testing software showed me that it can gain access to protected resources without authorization.

Access Protected Resource

I have a protected resource:

https://ip/secured/neverseen.txt
https://ip/./secured/neverseen.txt

Test with curl Tool

curl https://ip/./secured/neverseen.txt
daemon: ip/secured/neverseen.txt
curl https://ip/%2e/secured/neverseen.txt”
daemon: “ip/./secured/neverseen.txt”.

Test It Again!

I run the vulnerability test again. Unfortunately, it still reports errors. They can download my “neverseen.txt” file directly without authorization.

Oops !!! Why ?

I need to check the logs in the exploit tool and understand why they can download secure files?

https://ip/secured%2e/neverseen.txt

Linux vs Windows

This is filesystem related problem between “Windows” and “Unix/Linux”.

Finally!

I added a rule to convert “folder.” to “folder” in my URI normalization tool, and it finally passed the vulnerability test!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store