Directory Traversal Lab
LAB #1: File path traversal, simple case
Lab URl: https://portswigger.net/web-security/file-path-traversal/lab-simple
Objective: view the content of /etc/passwd
This lab contains a shopping application that has different products. Each product has its image and they are getting that image from an image API using a parameter name filename. The full URL of the image API is like the following.
This didn't enforce any protection against directory traversal so attackers can use directory traversal to view server internal files. Using the following command we can get the content of the /etc/passwd file.
As the API is used for giving an image file so the browser will not show the content in the browser they will show the following error.
So we must use tools like curl that will show us raw responses.
LAB #2: File path traversal, traversal sequences blocked with absolute path bypass
Lab URL: https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass
Objective: view the content of /etc/passwd
This lab contains a shopping application that has different products. Each product has its image and they are getting that image from an image API using a parameter name filename. The full URL of the image API is like the following.
They enforce some protection that will strip any combination of ../ and they are striping that in the loop so we cannot use payload like this ....//....// will also block any URL encoding also doesn't work. But by using an absolute path they will give us the content of the /etc/passwd file.
LAB #3: File path traversal, traversal sequences stripped non-recursively
Lab URL: https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively
Objective: view the content of /etc/passwd
This lab contains a shopping application that has different products. Each product has its image and they are getting that image from an image API using a parameter name filename. The full URL of the image API is like the following.
They enforce some protection that will strip any combination of ../ but they didn't do striping in a loop or recursively so we can use payload like this ....//....// and that will bypass the protection and give us the contents of /etc/passwd file.
LAB #4: File path traversal, traversal sequences stripped with superfluous URL-decode
Lab URL: https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode
Objective: view the content of /etc/passwd
This lab contains a shopping application that has different products. Each product has its image and they are getting that image from an image API using a parameter name filename. The full URL of the image API is like the following.
They enforce some protection against directory traversal attacks in which they block any sequences ../ and we can also don't get the files using an absolute path. Using a double URL to encode the directory traversal payload we can get the context of the /etc/passwd file.
LAB #5: File path traversal, validation of the start of the path
Lab URL: https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path
Objective: view the content of /etc/passwd
This lab contains a shopping application that has different products. Each product has its image and they are getting that image from an image API using a parameter name filename. The full URL of the image API is like the following.
In the above URL, we can see the filename parameter start with the directory /var/www/image if we didn't pass that path in our URL they show us an error saying
They are validating if the URL has that path or not if not then throw an error. This validation can easily be bypassed using a payload like the following.
we can get the contents of /etc/passwd using the following command.
LAB #6: File path traversal, validation of file extension with null byte bypass
Lab URL: https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass
Objective: view the content of /etc/passwd
This lab contains a shopping application that has different products. Each product has its image and they are getting that image from an image API using a parameter name filename. The full URL of the image API is like the following.
They add some extension validation in it. If the file doesn't have an extension .jpg it will not show any result and throw an error.
Any payload other payload didn't work but we can bypass this validation using a Null byte in our payload like the following.
Using this payload we can get the contents of the /etc/passwd file using the following command.
Last updated
Was this helpful?