Check Path Traversal over again.

Path traversal attack is one of the OWASP top ten issues widely found in web applications which occurs due to improper handling of user input. Learn more about path traversal attacks at Portswiggers website.

While performing/checking for LFI attack the web browser process /../../ and brings data after /../../ to the website root, So in such a scenario, we can use curl, with –as-path-is flag where the input won’t be processed at the user’s end and data without modification will be sent resulting in arbitrary file read if the target is vulnerable.

Lets have a look at the scenarios.


returns the response of

Paths merged.


curl --path-as-is

returns the content of etc/passwd.

Reading etc/passwd using –path-as-is flag

I wonder there is lot more to explore about curl secrets benefititial while pentesting.