DotDotPwn

DotDotPwn is a specialized security tool for identifying directory traversal vulnerabilities, also known as dot-dot-slash attacks. It automates the fuzzing process by generating traversal patterns and testing them against target services to detect potential security flaws that could allow unauthorized access to files outside the intended directory.

Use cases include penetration testing of web servers, FTP servers, TFTP servers, and various web applications such as content management systems (CMSs), enterprise resource planning (ERPs), and blogs. The tool is particularly useful for security researchers and pentesters looking to uncover misconfigurations or vulnerabilities in file access controls.

It supports multiple protocols and provides detailed reporting on traversal attempts, making it an essential component in vulnerability assessment workflows within Kali Linux environments.

DotDotPwn operates by creating traversal patterns mixing dots and slashes, multiplying them based on depth (e.g., -d switch for deepness), generating special traversal patterns, translating backslashes in filenames, adapting to detected OS type (windows, unix, or generic), and including special suffixes. The Traversal Engine produces thousands of test patterns (e.g., 19680 tests) which are fuzz-tested against the target at specified rates (e.g., 3.33 traversals per second). It supports modules like http, ftp, tftp, and uses techniques such as OS detection via nmap (-O), service banner grabbing (-s), and custom filenames or extra files.