Alright, fellow bug hunters! Today, we’re diving into the intriguing world of Path Traversal Vulnerability. Path Traversal is a sneaky vulnerability that lets hackers navigate through directories they shouldn’t access. But fear not, I’ve got your back! I’ve compiled some awesome resources to help you grasp the concept and understand it (and exploit it) like a pro.
Don’t forget to save this post (or check out the corresponding GitHub repo) for future reference. Oh, and be sure to hit that follow button to stay in the loop with my latest learnings and findings!
If you’re already familiar with how the web works and have some Linux filesystem know-how, you’re in for a treat!
Alright, so what is mean by path traversing? Imagine a website URL, and it’s made up of various elements (check out the figure below). We won’t dive too deep into it, assuming you all got the basics of “how the web works.” 😉 No worries; we’ll keep it simple for everyone!
You’re trying to fetch your CV, userCV.pdf, from a webserver. So, you shoot a HTTP request to the server asking for the same. Now, here’s where things get sneaky. Instead of just asking for your CV, a clever hacker can sneakily mess with the request and try to access other files or directories on the server. It’s like taking a shortcut up the path and peeking into places you shouldn’t.
A path traversal vulnerability is also called directory traversal or zip slip vulnerability (or dot-dot-slash attack).
Here’s the deal: Imagine the user’s input gets passed to a function without being checked or sanitized. The hacker takes advantage of this and tries to play around with the webserver. They can thus access the operating system resources, like local files on the server.
To test for the sneaky vulnerability we talked about, we can tinker with the URL parameter and see how the web app reacts. We move up the directory using double dots and a slash (../). Now, when we find an entry point (like this one: http://webapp.thm/get.php?file=userCV.pdf), we can try something wild, like…