Path Traversal Portswigger

File path traversal, simple case

Task :

This lab contains a path traversal vulnerability in the display of product images. To solve the lab, retrieve the contents of the /etc/passwd file.

Walk trough :

First, get a request where an image is requested and send it to repeater.

The img folder should be in /var/www/images and there is no filter, this basic payload works :

../../../etc/passwd

File path traversal, traversal sequences blocked with absolute path bypass

Task :

This lab contains a path traversal vulnerability in the display of product images. The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory. To solve the lab, retrieve the contents of the /etc/passwd file.

Walk trough :

First, get a request where an image is requested and send it to repeater.

When an application strips or block path traversal there is various way to bypass it.

Sometimes we can bypass it by simple using absolute path of the target file.

File path traversal, traversal sequences stripped non-recursively

Task :

This lab contains a path traversal vulnerability in the display of product images. The application strips path traversal sequences from the user-supplied filename before using it. To solve the lab, retrieve the contents of the /etc/passwd file.

Walk trough :

First, get a request where an image is requested and send it to repeater.

Here there is filter and we can't use the absolute path. There is various bypass, in this case we can try to double the path.

....//....//....//etc/passwd

File path traversal, traversal sequences stripped with superfluous URL-decode

Task :

This lab contains a path traversal vulnerability in the display of product images. The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it. To solve the lab, retrieve the contents of the /etc/passwd file.

Walk trough :

First, get a request where an image is requested and send it to repeater.

Here we have to use another way of bypass, url encoding. The application is looking for input containing path, then url-decode our url.

Let's encore first our path with Decoder in Burp.

Seems it's not the solution, if one encoding is not enough sometimes we can encode it multiple time or use various non standarts encoding. Let's encode it a second time

Great, double encoding was the solution.

GET /image?filename=%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34

File path traversal, validation of start of path

Task :

This lab contains a path traversal vulnerability in the display of product images. The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder. To solve the lab, retrieve the contents of the /etc/passwd file.

Walk trough :

First, get a request where an image is requested and send it to repeater.

Didn't get the point of this lab, it's basic path traversal without restrictions

File path traversal, validation of file extension with null byte bypass

Task :

This lab contains a path traversal vulnerability in the display of product images. The application validates that the supplied filename ends with the expected file extension. To solve the lab, retrieve the contents of the /etc/passwd file.

Walk trough :

First, get a request where an image is requested and send it to repeater.

Sometimes the restriction is based on the given file, e.g. it looks for an extension .jpg at the end of the request. We can bypass that using null byte

../../../etc/passwd%00.jpg

How to prevent a path traversal attack

• Avoid passing user input to filesystem APIs altogether.

If you can't :

• Validate user input before processing

• Use platform system API to canonicalize the path.

Java code to validate canonical path of a file based user input :

File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
    // process file
}

Details :

Combining Paths :

File file = new File(BASE_DIRECTORY, userInput);

This combines the BASE_DIRECTORY with userInput. Suppose BASE_DIRECTORY is /home/user/base and userInput is ../../etc/passwd, then the combined path would be /home/user/base/../../etc/passwd.

Canonicalization :

if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {

file.getCanonicalPath() resolves the combined path to its absolute and unique form by removing the relative path components:

/home/user/base/../../etc/passwd becomes /etc/passwd.

Validation :

if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
    // process the file safely
}

The code checks if the canonical path starts with the base directory.

If the canonical path starts with the base directory, it means the user input hasn't escaped the intended directory bounds, and you can safely process the file. Otherwise, it should be rejected.