Skip to main content

🗂️PortSwigger Lab Writeup: File Path Traversal - Traversal Sequences blocked with Absolute Path Bypass

PortSwigger lab description page for Path Traversal – Absolute Path Bypass

🎯 Objective

The objective of this lab is to exploit a path traversal vulnerability in a web application when traversal sequences are blocked as well as files are relative to a default working directory and retrieve the contents of the sensitive file /etc/passwd.

💉 Payloads Used

  • Payload 1 - ❌
../../../../etc/passwd
  • Payload 2 - ✅
/etc/passwd

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Path Traversal lab instance showing vulnerable shopping site
  • At first glance, the website seems to be a shopping website with very unique and unrelated products which you cannot buy. In the lab description, it is mentioned that the vulnerability is in the display of product images.

🔍Step 2: Find the Vulnerable Endpoint

  • Open the network tab of Developer Tools to see what resources the website loads. Developer tools showing image requests in the network tab
  • The site dynamically loads product images by requesting /image?filename=..., as seen in the network tab.
  • This could be the vulnerable endpoint as it shows the path traversal patterns

🧰Step 3: Capture Requests in BurpSuite

  • Start the BurpSuite and reload the website to capture requests.
  • By default, BurpSuite hides the image requests in HTTP History, so first enable the images request filter. BurpSuite HTTP history filter
  • After enabling images filter, you would see all the requests you saw in network activity tab of developer tools. Captured image requests in BurpSuite

🚀Step 4: Send the Payload

  • Based on our initial observations, the /image?filename=... endpoint appears to be the most likely vulnerable endpoint.
  • For testing, firstly send any image request to Repeater tab. Sending image request to Repeater Tab in BurpSuite
  • firstly, try the most common payload - ../../../../etc/passwd in ?filename= parameter and send the request. Path traversal payload using ../ blocked by server in BurpSuite Repeater
  • Hence, this payload didn’t work as traversal sequences are getting blocked, so let's try another payload with absolute path - /etc/passwd Successful absolute path traversal using /etc/passwd
  • And💥Booom!, We got the contents of /etc/passwd file.
  • And Finally, the Lab is solved. PortSwigger Lab Solved banner after successful path traversal exploit

🧠 Conclusion

  • This lab involves a case of path traversal vulnerability, where the filename parameter is used to load product images from server where traversal sequences are blocked but the final path is not being validated.
  • Without proper checks in place an attacker can use the absolute path to bypass the traversal sequences restriction and access unintended files.
  • By supplying an absolute path (/etc/passwd), we bypassed relative path restrictions entirely. This confirms that the application does not properly validate or restrict the full resolved file path
  • Developers often rely on filtering ../ without considering direct absolute path access, which leaves the application vulnerable even when traditional traversal strings are blocked.