A potential attacker that discovers a resource that is static may attempt to escape by typing
../ to escape the present context and see what else may be available. Fortunately, if done through the web browser this is normalized and the command will not reach the server. However, we can bypass this using the command line. Let's walk through a couple of examples that illustrate how you can accomplish this. From the terminal, we will use
curl to perform a few steps. If we attempt to browse using
../ we will fail because
st will inspect for this and block attempts to list contents using this method.