Yes I've read forums that says Forward Slash (/) is invalid character in a file name since it being File Separator in Windows and *nix based machines. But Without creating such an exploit file, I think attacks like ZipSlip won't be possible, Isn't it?
Most Zip Slip attacks involve creating an File with a slash character and when languages like Java use File IO with ZipEntry name, writes to some directory other than intended. So how is this possible?
The key is in the first line of the third paragraph of the page you reference:
The vulnerability is exploited using a specially crafted archive...
You don't create a file with a slash in it (and then put that file into an archive), but you create an archive that says it has a file with a slash in it (so when it is extracted it "confuses" the extractor/operating system and creates a file where it shouldn't).
Depending on the nature of an archive, and its internal format, creating an archive could conceivably be as easy as binary-editing an existing archive (e.g. changing SafeNamedFile.sh to ../../../evil.sh), but is more likely to need altering the source code of the archive-creation utility to embed what would normally be an illegal filename.
