Test Path Traversal Goal Determine whether user input can escape the intended filesystem path boundary and access unexpected files or directories. Assumptions the app reads or writes files based on user-controlled identifiers path normalization may be incomplete platform-specific separators or encodings may matter Prerequisites file-related endpoints or upload/extraction features ability to replay requests and compare responses Recon steps Identify download, preview, import, extraction, and template-related features. Map where path-like input appears in routes, params, or JSON. Note OS/platform behavior where relevant. Exploit / test steps Try simple traversal sequences. Test encoded or alternate separator variants where appropriate. Compare behavior for read and write operations. Probe archive extraction or upload workflows for directory escape. Observe whether normalization happens before or after validation. Validation clues access to unexpected files different errors when escaping intended directories writes or extractions landing outside controlled paths Mitigation avoid raw user-controlled filesystem paths use indirect references or strict allowlists canonicalize safely and verify final paths isolate processing and storage accounts/dirs Logging / detection repeated traversal-like strings failed file access outside expected trees extraction or write attempts outside upload areas Related notes path-traversal file-upload-abuse http-messages exposed-storage References Testing / Lab: PortSwigger path traversal topic — https://portswigger.net/web-security/file-path-traversal Foundational: OWASP WSTG — https://owasp.org/www-project-web-security-testing-guide/latest/ ← PreviousTest CORS BehaviorNext →Trace Metadata Endpoint Reachability Explore nearby notes Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions. Security PlaybooksExploit SQL InjectionDetermine whether user-controlled input can alter SQL query logic in a way that changes access, data, or behavior.