So I’m currently testing a site that has a url like this
I found that I can do to get to the home page
or I can read files like the CSS for another page
NOTE: The company’s policy states that a researcher can only go to the minimal amount of testing required to prove that a vulnerability, so I don’t want to try accessing the passwd file or any other sensitive file that isn’t already public. I also tried example.com/dir1/dir2?nextPage=google.com but it seems to check if the URL is local so that doesn’t work. Would what I found be considered directory traversal?