$base = '/var/www/html/'; $user_path = $base . $_GET['file']; $real = realpath($user_path); if ($real === false || strpos($real, $base) !== 0) die('Invalid path');

$base_dir = '/var/www/html/includes/'; $user_input = $_GET['file']; // Resolve the absolute path $real_path = realpath($base_dir . $user_input); // Verify the file exists and resides within the allowed base directory if ($real_path !== false && strpos($real_path, $base_dir) === 0) include($real_path); else die("Access Denied: Invalid File Path."); Use code with caution. 3. Apply the Principle of Least Privilege

$file = $_GET['page']; include("/var/www/html/" . $file . ".php"); Use code with caution.

GET /index.php?page=-include-..-2F GET /*.php?*-include-* GET /*.*-2Froot-2F

Many web applications store database credentials in files like /var/www/html/config.php . Using -include-../../../../var/www/html/config.php (with appropriate encoding) would simply read the config file itself. But the root directory often contains even more sensitive data, such as .my.cnf (MySQL credentials for root) or .aws/credentials on cloud servers.

$page = $_GET['page']; include("/var/www/html/pages/" . $page . ".php");

If user input must be used to build a file path, verify the resulting path using canonicalization functions. In PHP, realpath() resolves all symbolic links, relative path references, and character encodings. You can then verify that the absolute path remains inside the intended base directory.

sudo grep -- '-include-.*-2F' /var/log/apache2/access.log

grep "\-include\-\.\-\2F" access.log

A successful path traversal attack can have devastating consequences for an organization:

An attacker submits a request using the targeted payload: protocol://://example.com