filename = request.args.get('file') with open('/var/log/app/' + filename, 'r') as f: return f.read() An attacker sends:
https://victim.com/download?file=../../../../home/ec2-user/.aws/credentials The server opens /var/log/app/../../../../home/ec2-user/.aws/credentials → /home/ec2-user/.aws/credentials → credentials are returned. -file-..-2F..-2F..-2F..-2Fhome-2F-2A-2F.aws-2Fcredentials
| Encoded/Obfuscated Part | Decoded Meaning | |------------------------|----------------| | -file- | Likely a parameter name or indicator (e.g., ?file= in a URL) | | .. | Parent directory symbol | | -2F | URL encoding for / (since / = %2F , but here -2F may be a custom or accidental obfuscation) | | ..-2F..-2F..-2F..-2Fhome | Repeated ../ sequences to traverse up directories, then go into /home | | -2A | URL encoding for * (asterisk) — wildcard character | | .aws | Hidden directory .aws in user’s home | | -2Fcredentials | /credentials file | filename = request