In cases I would like to test Path Traversal vulnerabilities in web applications, the target URL is usually https://example.com/../../path
. Using the GET method in requests, that URL will be normalized as below. Consequently, this will lead to unintended results in the test.
r = requests.get('https://example.com/../../path')
print(r.url)
# https://example.com/path
With curl
, we have an option to ignore the normalization : --path-as-is
. So, do we have an equivalent option for requests
?
@EDjur Thank you for your information. Do you know a workaround to resolve this?
Try using prepared request
url = "http://example.com/../something.txt"
s = requests.Session()
req = requests.Request(method='POST' ,url=url, headers=headers, data=data)
prep = req.prepare()
prep.url = url
r = s.send(prep, verify=False)
@akmalhisyam Thank you very much. It works well.
@akmalhisyam is correct here. Using the PreparedRequests workflow will typically solve issues like this if you MUST explicitly set something.
Most helpful comment
Try using prepared request