After traversing to root, the payload appends root/.aws/credentials . The full resulting path becomes:
The .aws/credentials file is crucial for AWS CLI and SDK operations, as it stores the access keys used to authenticate and authorize AWS API requests. The presence of such a file and its accessibility are tightly controlled to prevent unauthorized access to AWS resources. -template-..-2F..-2F..-2F..-2Froot-2F.aws-2Fcredentials
The fix was simple but vital: Eli updated the code to use a "whitelist" of allowed files and implemented a function to strip out any directory traversal characters before the server ever processed the request. After traversing to root, the payload appends root/
Replace every instance of -2F with / :
If an attacker successfully retrieves the .aws/credentials file, the consequences are often catastrophic: After traversing to root