If we decode or interpret ..-2F as / , then the string could potentially represent a path like:
http://vulnerable.site/page.php?file=../../../../etc/passwd
The keyword sequence "-include-..-2F..-2F..-2F..-2Froot-2F" is not a standard literary phrase, but rather a representation of a or Directory Traversal attack string. Specifically, it uses URL-encoded characters ( -2F representing / ) to attempt to "escape" a web application's intended directory and access restricted system files—in this case, the root directory.
To prevent this attack vector, developers and system administrators should implement the following controls:
Assuming a where the web application has a custom include handler that decodes -2F to / and the PHP include function is used with no validation: