SlideShare a Scribd company logo

XPATH, LDAP and Path Traversal Injection

B
Blueinfy Solutions

XPATH, LDAP, and path traversal injections are common vulnerabilities that allow attackers to bypass authentication or access restricted files. XPATH injection occurs when untrusted user input is inserted into an XPATH query without validation, allowing an attacker to craft input that always returns true. LDAP injection works similarly by manipulating AND and OR clauses. Path traversal works by manipulating file paths to access files outside the intended directory, such as using "../../" to traverse up the file tree. Attackers first identify injectable parameters then test different encoding tricks to evade input validation.

Technology
1 of 30
1
2
3
Most read
4
5
Most read
6
7
Most read
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
XPATH, LDAP and Path-Traversal Injection
XPATH
XPATH injection • XPATH parsing standard error • XPATH is method available for XML parsing • MS SQL server provides interface and one can get table content in XML format. • Once this is fetched one can run XPATH queries and obtain results. • What if username/password parsing done on using XPATH – XPATH injection
XPATH injection string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false
XPATH injection string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; • XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ • This will always true on the first node and user can get access as who ever is first user. Bingo!
LDAP Injection
Description • LDAP : Lightweight Directory Access Protocol • Runs over TCP/IP • Used for modifying and querying directory services • Object oriented • Stores and organizes information sharing some common attributes
Attack Anatomy • Normal flow : Expected Input (Good query) Expected results
Attack Anatomy • Checking for vulnerability : Erroneous Input (Bad query) Server Error/ Unexpected Behavior LDAP Injectable !!!
Attack Anatomy • Common Injection methods : – AND Injection – OR Injection • Common risks : – Information Disclosure – Role Escalation – Authentication Bypass
Attack Anatomy • AND injection – Normal query structure : (&(param1=val1)(param2=val2)) – Attacker tries to supply 2 values with the input for val1 – Thus, val2 is never checked for and the query is executed – Attacker inputs values which will always result to “true”
Attack Anatomy Login Form Asks username and password
Attack Anatomy Login Form Asks username and password Uname = abc, pwd = 123 Query : (&(uname=abc)(pwd=123))
Attack Anatomy Login Form Asks username and password Uname = abc)(&), pwd = Query : (&(uname=abc)(&))(pwd=))
Attack Anatomy • OR Injection – Similar to AND Injection – Normal query structure : (|(param1=val1)(param2=val2)) – Normally used by attacker for information disclosure
Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1 •Restricted access •Machines accessible to the uid of the user are displayed
Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1)(uid=*)) •Notice the injection •Attacker bypasses the user id check •(S)he can view all machines now
Path Traversal & Injection
Description • An application has numerous resources – Images – Sound – Videos – Background and page eye-candies • A normal application would group these in separate directories and put the code in a separate directory
Description • A poorly developed application would use absolute/relative paths to reach the necessary resources • Even worst done applications would directly use user preferences from URL / cookies and append them to the URI for these resources • A user could modify the URL / cookie values and view files not meant for him/her
Attack Anatomy • The attacker begins by identifying resources accessed via URIs • Then the attacker looks out for URLs or cookies which contain the resource identifiers • Usually, such applications set the resource names (and possibly even the paths) via URLs and cookies
Attack Anatomy • Before the attacker begins to browse directories, (s)he tries to find out the operating system type of the server • This is necessary because unix based servers allow forward slash for directory traversal and windows based servers allow backward slash for directory traversal
Attack Anatomy Attacker URL : http://something.com?pref=page1.html Interesting … pref =page1.html Attacker
Attack Anatomy URL : http://something.com?pref=page1.html Serves back page1.html Maybe .... path traversal ??? Attacker
Attack Anatomy Attacker Cookie: PREF=page1.html Interesting … PREF=page1.html Attacker
Attack Anatomy Cookie: PREF=page1.html Sends back a page with page1.html as the background Maybe .... path traversal ??? Attacker
Attack Anatomy • Once the attacker has determined that an application is vulnerable to path traversal, (s)he tries out the following, depending on – The operating system of the server – The level of input scanning the application does ...
Attack Anatomy • Unix based servers – Uses forward slash (/) – Attacker begins with “../” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%2f – %2e%2e/ – ..%2f
Attack Anatomy • Windows based servers – Uses backward slash () – Attacker begins with “..” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%5c – %2e%2d – ..%5c
Conclusion

More Related Content

What's hot (20)

PPTX
Statements and Conditions in PHP
Maruf Abdullah (Rion)
 
PPTX
SignalR for ASP.NET Developers
Shivanand Arur
 
PPTX
Network address translation
Mohak Kaushik
 
PDF
Issues in the design of Code Generator
Darshan sai Reddy
 
PPTX
Relationship Among Token, Lexeme & Pattern
Bharat Rathore
 
PDF
Building DataCenter networks with VXLAN BGP-EVPN
Cisco Canada
 
PPTX
Internet Protocol version 6
Rekha Yadav
 
PDF
Routing basics/CEF
Dmitry Figol
 
PPTX
Transport Layer
Dr Shashikant Athawale
 
PPSX
RR
Ahmed Raafat
 
PDF
Creating Great REST and gRPC API Experiences (in Swift)
Tim Burks
 
PDF
PHP Basic and Fundamental Questions and Answers with Detail Explanation
OXUS 20
 
PDF
Network Address Translation (NAT)
Joud Khattab
 
PPTX
Cluster based routing protocol 1
Sudhansu Dash
 
PPTX
Socket programming
Ujjwal Kumar
 
PPTX
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
PPTX
IPv6
Abdelkhalik Mosa
 
PDF
Howto createOpenFlow Switchusing FPGA (at FPGAX#6)
Kentaro Ebisawa
 
PPTX
API-first development
Vasco Veloso
 
PPT
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
ALTANAI BISHT
 
Statements and Conditions in PHP
Maruf Abdullah (Rion)
 
SignalR for ASP.NET Developers
Shivanand Arur
 
Network address translation
Mohak Kaushik
 
Issues in the design of Code Generator
Darshan sai Reddy
 
Relationship Among Token, Lexeme & Pattern
Bharat Rathore
 
Building DataCenter networks with VXLAN BGP-EVPN
Cisco Canada
 
Internet Protocol version 6
Rekha Yadav
 
Routing basics/CEF
Dmitry Figol
 
Transport Layer
Dr Shashikant Athawale
 
RR
Ahmed Raafat
 
Creating Great REST and gRPC API Experiences (in Swift)
Tim Burks
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
OXUS 20
 
Network Address Translation (NAT)
Joud Khattab
 
Cluster based routing protocol 1
Sudhansu Dash
 
Socket programming
Ujjwal Kumar
 
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
IPv6
Abdelkhalik Mosa
 
Howto createOpenFlow Switchusing FPGA (at FPGAX#6)
Kentaro Ebisawa
 
API-first development
Vasco Veloso
 
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
ALTANAI BISHT
 

Viewers also liked (15)

PPTX
Advanced SQL Injection with SQLol
BaronZor
 
PDF
ComunWeb: Portali istituzionali e qualità dei dati aperti
Gabriele Francescotto
 
PPTX
FrameMaker XML Author Toolkit
Publishing Smarter
 
DOCX
Sah
Lutfy Nikmah
 
PPTX
Idiomatic C++
Federico Ficarelli
 
PPTX
DITA Reuse Challenges and Response
Contrext Solutions
 
PDF
Lecture 10 logistics and supply chain
Ankit
 
PPTX
FrameMaker Corporate Templates with DITA
Publishing Smarter
 
PDF
Moving Renewable Energy Embedded Systems into the Cloud
Mark Heckler
 
PPT
Portfolio
mandolyn74
 
PDF
Extracting the Painful (Blue)Tooth - Presentation
Opposing Force S.r.l.
 
PDF
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
PPTX
Basic service capability, logistics and supply chain management
Indraja Modem
 
PDF
Organization strategy of distribution nike
distribution-strategy
 
PDF
Www.themargolislawfirm.com
AaronWilliamson12
 
Advanced SQL Injection with SQLol
BaronZor
 
ComunWeb: Portali istituzionali e qualità dei dati aperti
Gabriele Francescotto
 
FrameMaker XML Author Toolkit
Publishing Smarter
 
Sah
Lutfy Nikmah
 
Idiomatic C++
Federico Ficarelli
 
DITA Reuse Challenges and Response
Contrext Solutions
 
Lecture 10 logistics and supply chain
Ankit
 
FrameMaker Corporate Templates with DITA
Publishing Smarter
 
Moving Renewable Energy Embedded Systems into the Cloud
Mark Heckler
 
Portfolio
mandolyn74
 
Extracting the Painful (Blue)Tooth - Presentation
Opposing Force S.r.l.
 
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Basic service capability, logistics and supply chain management
Indraja Modem
 
Organization strategy of distribution nike
distribution-strategy
 
Www.themargolislawfirm.com
AaronWilliamson12
 
Ad

Similar to XPATH, LDAP and Path Traversal Injection (20)

PDF
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
InfluxData
 
PPTX
Playing With (B)Sqli
Chema Alonso
 
PPT
15 Text files
maznabili
 
PDF
Java I/O
Jussi Pohjolainen
 
PPT
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
Chema Alonso
 
PDF
Solr @ Etsy - Apache Lucene Eurocon
Giovanni Fernandez-Kincade
 
PDF
Hollywood mode off: security testing at scale
Claudio Criscione
 
PPT
Asegúr@IT IV - Remote File Downloading
Chema Alonso
 
PPTX
Introduction to Laravel Framework (5.2)
Viral Solani
 
PPTX
Understanding and preventing sql injection attacks
Kevin Kline
 
PDF
Attques web
Tarek MOHAMED
 
PPT
SQL Server Security - Attack
webhostingguy
 
PPT
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
PPTX
How to use Approval Tests for C++ Effectively
Clare Macrae
 
PPT
XSS - Attacks & Defense
Blueinfy Solutions
 
PPTX
Sqlmap
SiddharthWagh7
 
PDF
Reactive Programming in .Net - actorbased computing with Akka.Net
Sören Stelzer
 
PDF
Security in Node.JS and Express:
Petros Demetrakopoulos
 
PDF
2011 and still bruteforcing - OWASP Spain
Christian Martorella
 
PPT
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
InfluxData
 
Playing With (B)Sqli
Chema Alonso
 
15 Text files
maznabili
 
Java I/O
Jussi Pohjolainen
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
Chema Alonso
 
Solr @ Etsy - Apache Lucene Eurocon
Giovanni Fernandez-Kincade
 
Hollywood mode off: security testing at scale
Claudio Criscione
 
Asegúr@IT IV - Remote File Downloading
Chema Alonso
 
Introduction to Laravel Framework (5.2)
Viral Solani
 
Understanding and preventing sql injection attacks
Kevin Kline
 
Attques web
Tarek MOHAMED
 
SQL Server Security - Attack
webhostingguy
 
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
How to use Approval Tests for C++ Effectively
Clare Macrae
 
XSS - Attacks & Defense
Blueinfy Solutions
 
Sqlmap
SiddharthWagh7
 
Reactive Programming in .Net - actorbased computing with Akka.Net
Sören Stelzer
 
Security in Node.JS and Express:
Petros Demetrakopoulos
 
2011 and still bruteforcing - OWASP Spain
Christian Martorella
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
Ad

More from Blueinfy Solutions (19)

PDF
Mobile Application Scan and Testing
Blueinfy Solutions
 
PDF
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PPT
iOS Application Security Testing
Blueinfy Solutions
 
PPT
Html5 on mobile
Blueinfy Solutions
 
PPT
Android secure coding
Blueinfy Solutions
 
PPT
Android attacks
Blueinfy Solutions
 
PPT
Automation In Android & iOS Application Review
Blueinfy Solutions
 
PPT
Web Services Hacking and Security
Blueinfy Solutions
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
PPT
HTML5 hacking
Blueinfy Solutions
 
PPT
Defending against Injections
Blueinfy Solutions
 
PPT
Blind SQL Injection
Blueinfy Solutions
 
PPT
Application fuzzing
Blueinfy Solutions
 
PPT
SQL injection basics
Blueinfy Solutions
 
PPT
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
PPT
Assessment methodology and approach
Blueinfy Solutions
 
PPT
HTTP protocol and Streams Security
Blueinfy Solutions
 
PPT
Advanced applications-architecture-threats
Blueinfy Solutions
 
Mobile Application Scan and Testing
Blueinfy Solutions
 
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
iOS Application Security Testing
Blueinfy Solutions
 
Html5 on mobile
Blueinfy Solutions
 
Android secure coding
Blueinfy Solutions
 
Android attacks
Blueinfy Solutions
 
Automation In Android & iOS Application Review
Blueinfy Solutions
 
Web Services Hacking and Security
Blueinfy Solutions
 
Source Code Analysis with SAST
Blueinfy Solutions
 
HTML5 hacking
Blueinfy Solutions
 
Defending against Injections
Blueinfy Solutions
 
Blind SQL Injection
Blueinfy Solutions
 
Application fuzzing
Blueinfy Solutions
 
SQL injection basics
Blueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Assessment methodology and approach
Blueinfy Solutions
 
HTTP protocol and Streams Security
Blueinfy Solutions
 
Advanced applications-architecture-threats
Blueinfy Solutions
 

Recently uploaded (20)

PDF
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PPTX
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Français Patch Tuesday - Juillet
Ivanti
 
PDF
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
PDF
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
PPTX
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
PDF
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
PDF
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Français Patch Tuesday - Juillet
Ivanti
 
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 

XPATH, LDAP and Path Traversal Injection

  • 1. XPATH, LDAP and Path-Traversal Injection
  • 3. XPATH injection • XPATH parsing standard error • XPATH is method available for XML parsing • MS SQL server provides interface and one can get table content in XML format. • Once this is fetched one can run XPATH queries and obtain results. • What if username/password parsing done on using XPATH – XPATH injection
  • 4. XPATH injection string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false
  • 5. XPATH injection string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; • XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ • This will always true on the first node and user can get access as who ever is first user. Bingo!
  • 7. Description • LDAP : Lightweight Directory Access Protocol • Runs over TCP/IP • Used for modifying and querying directory services • Object oriented • Stores and organizes information sharing some common attributes
  • 8. Attack Anatomy • Normal flow : Expected Input (Good query) Expected results
  • 9. Attack Anatomy • Checking for vulnerability : Erroneous Input (Bad query) Server Error/ Unexpected Behavior LDAP Injectable !!!
  • 10. Attack Anatomy • Common Injection methods : – AND Injection – OR Injection • Common risks : – Information Disclosure – Role Escalation – Authentication Bypass
  • 11. Attack Anatomy • AND injection – Normal query structure : (&(param1=val1)(param2=val2)) – Attacker tries to supply 2 values with the input for val1 – Thus, val2 is never checked for and the query is executed – Attacker inputs values which will always result to “true”
  • 12. Attack Anatomy Login Form Asks username and password
  • 13. Attack Anatomy Login Form Asks username and password Uname = abc, pwd = 123 Query : (&(uname=abc)(pwd=123))
  • 14. Attack Anatomy Login Form Asks username and password Uname = abc)(&), pwd = Query : (&(uname=abc)(&))(pwd=))
  • 15. Attack Anatomy • OR Injection – Similar to AND Injection – Normal query structure : (|(param1=val1)(param2=val2)) – Normally used by attacker for information disclosure
  • 16. Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1 •Restricted access •Machines accessible to the uid of the user are displayed
  • 17. Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1)(uid=*)) •Notice the injection •Attacker bypasses the user id check •(S)he can view all machines now
  • 18. Path Traversal & Injection
  • 19. Description • An application has numerous resources – Images – Sound – Videos – Background and page eye-candies • A normal application would group these in separate directories and put the code in a separate directory
  • 20. Description • A poorly developed application would use absolute/relative paths to reach the necessary resources • Even worst done applications would directly use user preferences from URL / cookies and append them to the URI for these resources • A user could modify the URL / cookie values and view files not meant for him/her
  • 21. Attack Anatomy • The attacker begins by identifying resources accessed via URIs • Then the attacker looks out for URLs or cookies which contain the resource identifiers • Usually, such applications set the resource names (and possibly even the paths) via URLs and cookies
  • 22. Attack Anatomy • Before the attacker begins to browse directories, (s)he tries to find out the operating system type of the server • This is necessary because unix based servers allow forward slash for directory traversal and windows based servers allow backward slash for directory traversal
  • 23. Attack Anatomy Attacker URL : http://something.com?pref=page1.html Interesting … pref =page1.html Attacker
  • 24. Attack Anatomy URL : http://something.com?pref=page1.html Serves back page1.html Maybe .... path traversal ??? Attacker
  • 26. Attack Anatomy Cookie: PREF=page1.html Sends back a page with page1.html as the background Maybe .... path traversal ??? Attacker
  • 27. Attack Anatomy • Once the attacker has determined that an application is vulnerable to path traversal, (s)he tries out the following, depending on – The operating system of the server – The level of input scanning the application does ...
  • 28. Attack Anatomy • Unix based servers – Uses forward slash (/) – Attacker begins with “../” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%2f – %2e%2e/ – ..%2f
  • 29. Attack Anatomy • Windows based servers – Uses backward slash () – Attacker begins with “..” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%5c – %2e%2d – ..%5c