[3][4] Some web applications attempt to prevent directory traversal by scanning the path of a request URI for patterns such as ../.
This check is sometimes mistakenly performed before percent-decoding, causing URIs containing patterns like %2e%2e/ to be accepted despite being decoded into ../ before actual use.
[5] Percent decoding may accidentally be performed multiple times; once before validation, but again afterwards, making the application vulnerable to Double percent-encoding attacks[6] in which illegal characters are replaced by their double-percent-encoded form in order to bypass security countermeasures.
[8] This kind of vulnerability notably affected versions 5.0 and earlier of Microsoft's IIS web server software.
This is specifically forbidden by the UTF-8 standard,[10] but has still led to directory traversal vulnerabilities in software such as the IIS web server.