On this page
apsyleg1 min read
#portswigger #path-traversal #web-security
File Path Traversal: Validation of Start of Path
Lab
File path traversal, validation of start of path · Practitioner
Solution
Given
This lab contains a path traversal vulnerability in the display of product images.
The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder.
To solve the lab, retrieve the contents of the /etc/passwd file.
Analysis and recon
Same as the previous lab, except this time the server validates the input. It checks that it starts with the expected directory. Let's craft a payload for that case.
Request:
GET /image?filename=/var/www/images/45.jpg
OK, then this should work:
GET /image?filename=/var/www/images/../../../etc/passwd
Correct.
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.