To understand what this string does, we have to break down its components:
In URL encoding, %2F represents the forward slash ( / ). The given string replaces % with a hyphen ( - ), yielding -2F . This is a known obfuscation technique to bypass naïve filters that look for %2F or ../ but not hyphens. -template-..-2F..-2F..-2F..-2Froot-2F
First, let’s decode the -2F parts:
If you’re testing your own application and see such strings in logs: To understand what this string does, we have
To protect against this specific payload, applications and WAFs (Web Application Firewalls) implement several security features: First, let’s decode the -2F parts: If you’re
in specific templating engines to avoid being caught by basic security filters. The Intent : By repeating ../../../../root/
Most languages have functions to get the "basename" of a file path (e.g., basename() in PHP), which strips out all directory information and leaves only the filename.