path-traversal

star 4.4k

Hunt directory traversal and archive traversal (ZipSlip/TarSlip) from user input to filesystem operations.

PurpleAILAB

By PurpleAILAB schedule Updated 6/2/2026

play_arrow Run Skill in Manus View GitHub

name: path-traversal description: Hunt directory traversal and archive traversal (ZipSlip/TarSlip) from user input to filesystem operations. metadata: subdomain: web-exploitation when_to_use: "path directory traversal zipslip tarslip archive filesystem cwe-22 dot dot slash"

Path Traversal Playbook

Find sinks

open(user_path), send_file(user_path), file download endpoints, archive extraction APIs.

Probe payload classes

Relative traversal: ../../../../etc/passwd
Encoded traversal: %2e%2e%2f
Mixed separators: ..\\..\\windows\\win.ini
Archive traversal: entries like ../../app/config.py

Verify controls

Canonicalization done before allowlist check.
Path confinement to intended root.

Validation

Confirm unauthorized file read/write outside allowed directory with positive and negative controls.

Install via CLI

npx skills add https://github.com/PurpleAILAB/Decepticon --skill path-traversal

Repository Details

star Stars 4,393

call_split Forks 875

navigation Branch main

article Path SKILL.md

Occupations

Information Security Analysts

More from Creator

PurpleAILAB

PurpleAILAB Explore all skills →