Play AppSec WarGames
Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.
What is wrong with Escaping or Input Sanitization
The earliest documented instance of Path Traversal vulnerability is Windows 95 “Dot Dot” bug that goes back to October 1995. The vulnerability allowed an adversary to traverse outside of intended directories on Windows 95 file-sharing service and read content of the entire shared drive. It has been three decades since publication of this vulnerability and one may assume that we should know how to avoid it in the first place or know how to effectively address it, do we?
Path traversal has been one of the early example of secure coding challenges that I have added to SecDim. It is available in multiple language and has received large number of security patches. So I looked at what are different approaches has been taken to patch it.
A popular approach in addressing the vulnerability is by escaping ../ in the input so what remains is safe (you may see an example of this in the cover image). Aside from ways to bypass this patch, this escaping approach is fundamentally wrong.
As I have explained in SecDim 1st Defensive Programming Principle, This approach mistakenly treats inputs as sequences of “safe” and “unsafe” characters, based on the flawed assumption that escaping or removing unsafe characters automatically makes the input safe to use.
The root issue here is a misunderstanding of input sanitisation. The safety of an input depends on the integrity of the entire input, not just a few removed or escaped fragments. Sanitising isolated elements cannot guarantee the overall safety of the input.
This flawed approach to security is one of reasons why path traversal vulnerabilities continue to appear, even decades after the first documented case. Developers must shift from reactive patching to secure-by-design prevention, such as enforcing strict directory controls or resolving paths securely using robust API functions designed to prevent traversal. The persistence of path traversal vulnerabilities shows that security isn’t about removing ‘bad’ characters - it’s about ensuring that the entire input is parsed in a way that guarantees safety.
