1. File Path Traveral

Path traversal

A path, aka directory or dot-dot-slash, vulneratibility enables the attacker to access (read or write) arbitrary files on the application server.

1. Let’s say that a shopping app displays images loading this HTML code:

    <img src="/loadImage?filename=218.png">
   

   The loadImage URL takes a filename parameter and returns the contents of 218.png. The image is stored under /var/www/images, so it is essentially calling /var/www/images/218.png.

2. We can use ../ to navigate directories and requeste any file we want from other directories:

    https://insecure-website.com/loadImage?filename=../../../etc/passwd
   

   This translates to /var/www/images/../../../etc/passwd.

   On Windows, both ../ and ..\ are valid.

Lab: File path traversal, simple case

Objective: This lab contains a path traversal vulnerability in the display of product images. To solve the lab, retrieve the contents of the /etc/passwd file.

1. It seems we are dealing with an e-shop:

   

2. We can click on a product and examine the traffic with Burp, but first we need to whitelist images via our filter settings:

   

   

3. We can now examine the request via Burp Proxy’s HTTP History by refreshing the page. There we can see a GET request to the /image URL which takes the filename parameter:

   

4. We can send it to the Repeater and try our Path Traversal attack:

   

5. To mark this lab as solved, we need to actually intercept the request via Proxy, modify it, and Forward it:

   

   

   

Resources

• Server-side vulnerabilities.
• Related practice: DVWA LFI.