Callback-url-file-3a-2f-2f-2fproc-2fself-2fenviron

Imagine your application has an endpoint like:

https://example.com/process-payment?callback_url=https://trusted-partner.com/confirm

If the code does something like:

$callback = $_GET['callback_url'];
$response = file_get_contents($callback);

An attacker changes it to:

callback-url-file-3A-2F-2F-2Fproc-2Fself-2Fenviron

After decoding, the server executes:

file_get_contents("file:///proc/self/environ")

Outcome: The server reads its own environment memory and returns it in the HTTP response – exposing every secret. callback-url-file-3A-2F-2F-2Fproc-2Fself-2Fenviron

Even worse, if your app writes logs or caches the content, the secrets persist in your systems.

Standard URL encoding uses % (e.g., file:// → file%3A%2F%2F).
The format with hyphens (-3A-2F-2F-2F) suggests: If the code does something like: $callback =

Attackers often experiment with multiple encoding styles to evade detection.

Add detection rules for: