Wednesday, September 17, 2014

DotDotPwn on GitHub and in the OWASP Testing Guide v4.0

It's an honour to be listed in the latest release of the OWASP Testing Guide 4.0 as one of the tools to test Web applications against the Path Traversal vulnerability. In other old news, DotDotPwn was included in Kali Linux and BlackArch Linux (an Arch-based distro for pentesters & researchers).

Since time ago, Eldar '@Wireghoul' Marcussen (, has been supporting this project a lot by adding new functionalities and payloads as well as fixing some bugs. THANKS !!!

That said, we strongly recommend to download and use the latest enhanced DotDotPwn on steroids from his github repositoryat:

For the desperate:
$ git clone
$ cd dotdotpwn
$ ./

Happy ../../../Path/../Traversal/../Fuzzing !
Ch33rs ! B-]

Wednesday, March 27, 2013

New Contributions to DotDotPwn !

We're happy to announce these two great contributions to DotDotPwn - The Traversal Directory Fuzzer.

The 1st one was from Eldar 'Wireghoul' Marcussen (, who added support for SSL, zlib compression and removed the HTTP::Lite dependancy.
You can get a copy from:

Today, 27/03/13, we received another contribution from Bryan Alexander (, who added the -C feature to continue the fuzzing process instead of die() in case of the Web server doesn't respond any request.
You can get a copy from (it also includes the SSL feature by Wireghoul):

Thanks a lot for the support guys !

Happy ../../../directory/traversal/ Fuzzing

Cheers ! B-)

Friday, February 3, 2012

NEW RELEASE: DotDotPwn v3.0

We are pleased to present the new version of our Directory Traversal fuzzer!

DotDotPwn v3.0

Version: DotDotPwn v3.0
Release date: 03/Feb/2012 (Release at BugCon Security Conferences 2012)

Changes / Enhancements / Features:

  1. -X switch that implements the Bisection Algorithm in order to detect the exact deepness once a directory traversal vulnerability has been found. -
  2. -M switch to specify another method different from the default (GET) when the http module is used.
  3. Other HTTP methods are [POST | HEAD | COPY | MOVE]
  4. -e switch to specify the file extension to be appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
  5. New dots & slashes encodings (fuzz patterns) based on:,_locale_and_Unicode and
Supported modules:
- Payload (Protocol independent)

Feel free to download this new release from the following sites:

Friday, February 18, 2011

DotDotPwn is now included in Backtrack Pentesting Linux Distro!

Finally, after long time... DotDotPwn is now included in the Backtrack R2..! :)

To install the tool, just need to complete the following two steps:
  1. apt-get install dotdotpwn
  2. cpan -i HTTP::Lite
And practically you are done!

Thanks to all of you guys who supported and voted to for DotDotPwn! ;)

DotDotPwn v2.1 - The Directory Traversal Fuzzer

[ 9 security advisories & counting! ]

It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in perl programming language and can be run either under *NIX or Windows platforms. Fuzzing modules supported in this version:

- HTTP - HTTP URL - FTP - TFTP - Payload (Protocol independent) - STDOUT

9 Security Advisories released using DotDotPwn:

HTTP (4 security advisories released)
* MultiThreaded HTTP Server @
* Wing FTP Server v3.4.3 @
* Yaws 1.89 (HTTP Server / Win32) @ (nitr0us)
* Mongoose 2.11 (HTTP Server / Win32) @ (nitr0us)

FTP (3 security advisory)
* VicFTPS v5.0 @
* Home FTP Server Post-Auth Directory Traversal @
* Femitter FTP Server 1.04 Directory Traversal Vulnerability @

TFTP (2 security advisories)
* TFTP Desktop 2.5 @
* TFTPDWIN v0.4.2 @ 

DotDotPwn v2.1
  • Release date: 29/Oct/2010 (PUBLIC Release at BugCon Security Conferences 2010)
  • Release date: 14/Oct/2010 *NON-PUBLIC Version*
 Changes / Enhancements / Features:

* STDOUT module implemented to be used as you wish (Read the EXAMPLES.txt to see some examples).
* TFTP Module implemented.
* -k switch for false positive avoidance making another verification once the HTTP Status 200 is received. This option looks for the specified parameter in the server's response. (e.g. -k "root:" if trying with /etc/passwd file or -k "localhost" in windows/system32/drivers/etc/hosts).
* -p switch for payload specification. This option simply takes the text file passed as a parameter, replaces the 'TRAVERSAL' tokens and sends it to the target (-h switch) in the specified port (-x switch)
(e.g. a file called request.txt that contains an HTTP request including cookies, session ids, variables, etc. and the 'TRAVERSAL' tokens within the request that would be fuzzed).
* For the impatient, when it's working in quiet mode (-q switch), it prints dots each certain number of attempts to inform that it's still working ;).
* Prints the number of vulnerabilities found before exiting when an error ocurrs (e.g. the Web server doesn't respond anymore because it has reached the maximum number of clients/sockets/threads).
* Prints the time taken at the end of the testing.
* A cleaner usage message (help message).

Supported modules:
- HTTP URL (parameter support!)
- Payload (Protocol independent)

DotDotPwn v2.0

Release date: 2/Sept/2010 (NON-PUBLIC Version)

Changes / Enhancements / Features:

* From Checker to Fuzzer
* Rewritten from the scratch
* Modular architechture (DotDotPwn packages)
* Traversal Engine to automatically create the fuzzing patterns to be sent. This engine makes all the permutations between the dots and slashes encodings, iterates the number of deepness passed as argument and finally, it concatenates the filenames intelligently according to the Operating System detected (in case of -O switch enabled), otherwise, the engine includes all the defined file sets (Windows, UNIX and Generic).
* -O switch for Operating System (nmap)
* -s switch for service detection
* -d switch to specify the desired deep of traversals (e.g. deep 3 equals to ../../../)
* -f switch available to define a specific file name to retrive
* -U and -P switches to supply specific usernames/passwords
* -t switch to specify the time in milliseconds between each attemp
* -x switch to specify a different TCP/UDP port than the defaults
* -b switch to break after the first vulnerability is found
* -q switch for quiet mode (doesn't print each attemp in STDOUT)
* Special treatment of Slash/Backslash in filenames in order to have a correct semantic within each traversal string.
* Improvement in the FTP module to compare against the server's response code instead of vendor-dependent response message (compliance with RFC 959 FTP)
* Improvement in the parameter passing
* A cool banner was included ;)

Supported modules:

DotDotPwn v1.0

Release date: 21/Aug/2010


* Traversal database (external .txt files) holds 881 attack payloads
* -update flag available to perform an online database update
* Only checks the presence of boot.ini on Windows based HTTP/FTP servers

Supported modules: