Dot (.) Does Matter for Cross platform Application

Access Protected Resource

I have a protected resource:

https://ip/secured/neverseen.txt
https://ip/./secured/neverseen.txt

Test with curl Tool

curl https://ip/./secured/neverseen.txt
daemon: ip/secured/neverseen.txt
curl https://ip/%2e/secured/neverseen.txt”
daemon: “ip/./secured/neverseen.txt”.

Test It Again!

I run the vulnerability test again. Unfortunately, it still reports errors. They can download my “neverseen.txt” file directly without authorization.

Oops !!! Why ?

I need to check the logs in the exploit tool and understand why they can download secure files?

https://ip/secured%2e/neverseen.txt

Linux vs Windows

This is filesystem related problem between “Windows” and “Unix/Linux”.

Finally!

I added a rule to convert “folder.” to “folder” in my URI normalization tool, and it finally passed the vulnerability test!

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store