Skip to main content

🗂️PortSwigger Lab Writeup: File Path Traversal - Traversal Sequences Stripped Non-Recursively

PortSwigger lab description page for Path Traversal – Non-Recursive Traversal Sequences

🎯 Objective

The objective of this lab is to exploit a path traversal vulnerability in a web application where traversal sequences are stripped non-recursively and to retrieve the contents of the sensitive file /etc/passwd.

💉 Payloads Used

  • Payload 1 - ❌
../../../../etc/passwd
  • Payload 2 - ✅
....//....//....//....//etc/passwd

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Path Traversal lab instance showing vulnerable shopping site
  • At first glance, the website seems to be a shopping website with very unique and unrelated products. In the lab description, it is mentioned that the vulnerability is in the display of product images.

🔍Step 2: Find the Vulnerable Endpoint

  • Open the network tab of Developer Tools to see what resources the website loads. Developer tools showing image requests in the network tab
  • The site dynamically loads product images by requesting /image?filename=..., as seen in the network tab.
  • You can also verify this by looking at the source code of website. HTML source code revealing vulnerable image loading endpoint
  • This could be the vulnerable endpoint as it shows the path traversal patterns

🧰Step 3: Capture Requests in BurpSuite

  • Start the BurpSuite and reload the website to capture requests.
  • By default, BurpSuite hides the image requests in HTTP History, so first enable the images request filter. BurpSuite HTTP history filter
  • After enabling images filter, you would see all the requests you saw in network activity tab of developer tools. Captured image requests in BurpSuite

🚀Step 4: Send the Payload

  • Based on our initial observations, the /image?filename=... endpoint appears to be the most likely vulnerable endpoint.
  • For testing, firstly send any image request to Repeater tab. Sending image request to Repeater Tab in BurpSuite
  • firstly, try the most common payload - ../../../../etc/passwd in ?filename= parameter and send the request. Path traversal payload using ../ blocked by server in BurpSuite Repeater
  • Hence, this payload didn’t work as traversal sequences are getting blocked, so we try another payload with dot-dot trick to see if it is recursive or not - ....//....//....//....//etc/passwd Successful path traversal using dot-dot slash trick ....//etc/passwd
  • And💥Booom!, We got the contents of /etc/passwd file.
  • And Finally, the Lab is solved. PortSwigger Lab Solved screen after successful non-recursive traversal bypass

🧠 Conclusion

  • This lab involves a case of path traversal vulnerability, where the filename parameter is used to load product images from server where traversal sequences are getting stripped non-recursively.
  • Since ../ sequences are stripped only once (non-recursively), an attacker can evade this filter by inserting extra traversal characters in creative ways — like using ....// instead of ../ — to bypass restrictions and access sensitive files.
  • By using dot-dot trick ....// sequences, we traversed out of the intended /image directory and accessed the sensitive file /etc/passwd due to improper path validation.