-include-..-2f..-2f..-2f..-2froot-2f Jun 2026

$page = basename($_GET['page']); // strips any directory components include("/var/www/html/pages/" . $page . ".php");

Running the application with "least privilege" so it physically cannot access system folders even if a bug exists. -include-..-2F..-2F..-2F..-2Froot-2F

After normalization, this resolves to /etc/passwd . The server then includes that file – and if the include function is not restricted to PHP files only, the contents of /etc/passwd may be disclosed. After normalization, this resolves to /etc/passwd

Tooth Story #14: Another Good Root Canal Recall on the Books A properly tuned WAF will drop the malicious

Modern WAFs use deep packet inspection and signature matching to detect URL-encoded patterns, directory traversal sequences, and anomalous character sequences like -2F or %2F . A properly tuned WAF will drop the malicious request at the network perimeter before it ever reaches the application layer. Conclusion

If an application is vulnerable to this payload, the consequences can be catastrophic for an organization: