Path Traversal
Lab: File Path Traversal, Simple case
This lab contains a path traversal vulnerability in the display of product images.
To solve the lab, retrieve the contents of the /etc/passwd file.
Solution
Click on Open image in new tab
We can see that the URL is
We just need to change the URL to
However, if we try to view on the browser, it will just show this.
But if we view it on Burp Suite, it will show the content of /etc/passwd.
Lab: File path traversal, traversal sequences blocked with absolute path bypass
This lab contains a path traversal vulnerability in the display of product images.
The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory.
To solve the lab, retrieve the contents of the /etc/passwd file.
Solution
Same as the previous lab, we will open the image in a new tab
So now the URL is
Since, they blocked traversal sequences, we can try to put the full file path directly.
We should be able to see the content of /etc/passwd.
Lab: File path traversal, traversal sequences stripped non-recursively
This lab contains a path traversal vulnerability in the display of product images.
The application strips path traversal sequences from the user-supplied filename before using it.
To solve the lab, retrieve the contents of the /etc/passwd file.
Solution
Same as the previous lab, we will open the image in the new tab and capture the request in Burp Suite.
We will then send that request to Repeater.
Since we know that the application strips path traversal sequences before using it, we can craft the path in such a way that it will strip the path traversal sequences but maintaining a valid path after the stripping.
We should be able to see the content of /etc/passwd after sending the request.
Lab: File path traversal, traversal sequences stripped with superfluous URL-decode
This lab contains a path traversal vulnerability in the display of product images.
The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it.
To solve the lab, retrieve the contents of the /etc/passwd file.
Solution
Same as the previous lab, we will open the image in the new tab and capture the request in Burp Suite and send to Repeater.
Since we are told that the application performs a URL-decode of the input before using it, we will try to URL encode the path using Decoder.
We will then copy the payload into the request and send it.
However, the response is there is "No such file"
So, the next step is to encode that payload again using URL encoding as the application might be decoding double URL encoding instead of single URL encoding
We will use Decoder to encode it once more, copy the payload into the request and send it again.
We should be able to see the content of /etc/passwd
Lab: File path traversal, validation of start of path
This lab contains a path traversal vulnerability in the display of product images.
The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder.
To solve the lab, retrieve the contents of the /etc/passwd file.
Solution
Same as the previous lab, we will open the image in the new tab and capture the request in Burp Suite and send to Repeater.
We can see that the filename parameter contains the full path to 57.jpg
We can try to see if we can travel to /etc/passwd
After sending this modified request, we should be able to see the content of /etc/passwd
Lab: File path traversal, validation of file extension with null byte bypass
This lab contains a path traversal vulnerability in the display of product images.
The application validates that the supplied filename ends with the expected file extension.
To solve the lab, retrieve the contents of the /etc/passwd file.
Solution
Same as the previous lab, we will open the image in the new tab and capture the request in Burp Suite and send to Repeater.
If we modify the request to be this:
The response returned is this:
However, if we change the payload to this:
It will be able to show the content of /etc/passwd
Last updated