Link to portswigger academy: https://portswigger.net/web-security/file-path-traversal

For any correction / query /suggestion contact on
Instagram dollarboysushil
Twitter (X) dollarboysushil
Youtube dollarboysushil
Linkedin dollarboysushil

Path traversal or directory traversal is a vulnerability which allows an attacker to read arbitrary files on the server which they should not have access.

Lets look at an example to understand how path traversal attack occurs

https://insecure-website.com/loadImage?filename=64.png

In the above URL filename parameter is used to load the image file, 64.image in this case. If there is not any proper validation or sanitization to the entered input then attacker can easy manipulate the filename parameter to access the files outside the intended directory.

https://insecure-website.com/loadImage?filename=secret.txt

As an example, an attacker can change the filename parameter to something like secret.txt to access different important file present in the server.

However an attacker does not know the name or contents of files present in the server, so an attacker can look for default files present in server , like passwd file present inside etc directory in linux os. and boot.ini file present in windows os.

With this basic knowledge lets solve the labs to get more hands on knowledge.

Lab 1 : File path traversal, simple case

Link to lab1: https://portswigger.net/web-security/file-path-traversal/lab-simple

Aim: Read content of /etc/passwd

Click Access the lab

Website will launch on new tab where we will practice.

Then run burpsuite.

In burpsuite under HTTP history , click on filter and select images and css

Then reload the lab.

In the HTTP history, we can see filename parameter is loading various images, we will use one of these request , change the parameter and send the changed request to server.

Select any one of the request, right click and send it to repeater
(or CTRL + R)

Our aim is to read the content of /etc/passwd ,but we don’t know the current location of the files filename parameter is fetching from.
So we will use ../ which is used to move one directory up.

For example.
If we are currently in /var/www/images folder then command ../ will move us one directory up into /var/www/ and multiple ../ will move us multiple directory up.
../../../../../../../../../../../../ will move us to root directory.

../../../../../etc/passwd will move to 5 directory up and then go to /etc/passwd . Thus loading the content of the passwd file.

Lab 1 completed successfully.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

link to lab2: https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass

Same as before intercept the request and send it to repeater.
For this lab traversal sequences is blocked but we can bypass this by providing absolute path.

By providing absolute path /etc/passwd we can successfully complet the lab.

link to lab: https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively

Same as before, send the interesting request to repeater.

In this lab , there is some kind of filter/ sanitization which is stripping or removing the traversal sequence.

We can bypass this stripping easily by:

by adding extra ../ in between the payload we can bypass this filter.
Note this will not work in recursive stripping process.

link to lab 4: https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode

Previous method not working.
We can come around this time by url encoding the payload .

By double url encoding ../../../../../../etc/passwd we can complete the lab.

link to lab5: https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path

An application may require the user-supplied filename to start with the expected base folder, such as /var/www/images. In this case, it might be possible to include the required base folder followed by suitable traversal sequences. For example:

link to lab: https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass

An application may require the user-supplied filename to end with an expected file extension, such as .png. In this case, it might be possible to use a null byte to effectively terminate the file path before the required extension. For example:

filename=../../../etc/passwd%00.png
everything after null byte %00 is ignored while fetching the file.

Which completes the lab.