Skip to main content

🗂️PortSwigger Lab Writeup: File Path Traversal - Validation of File Extension with NullByte Bypass

PortSwigger lab description page for Path Traversal – Superfluous URL Decode

🎯 Objective

The objective of this lab is to exploit a path traversal vulnerability in a web application where the application validates that the user-supplied filename must end with a specific file extension (e.g., .png or .jpg) and our goal is to bypass this restriction using a null byte (%00) injection to retrieve the contents of the /etc/passwd.

💉 Payloads Used

  • Payload 1 - ❌
../../../../etc/passwd
  • Payload 2 - ✅
../../../../etc/passwd%00.png

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

Path Traversal lab instance showing vulnerable shopping site

  • At first glance, the website seems to be a shopping website with very unique and unrelated products. In the lab description, it is mentioned that the vulnerability is in the display of product images.

🔍Step 2: Find the Vulnerable Endpoint

  • Open the network tab of Developer Tools to see what resources the website loads. Developer tools showing image requests in the network tab
  • The site dynamically loads product images by requesting /image?filename=..., as seen in the network tab.
  • You can also verify this by looking at the source code of website. HTML source code revealing vulnerable image loading endpoin
  • This could be the vulnerable endpoint as it shows the path traversal patterns

🧰Step 3: Capture Requests in BurpSuite

  • Start the BurpSuite and reload the website to capture requests.
  • By default, BurpSuite hides the image requests in HTTP History, so first enable the images request filter. BurpSuite HTTP history filter
  • After enabling images filter, you would see all the requests you saw in network activity tab of developer tools. tools. Captured image requests in BurpSuite

🚀Step 4: Send the Payload

  • Based on our initial observations, the /image?filename=... endpoint appears to be the most likely vulnerable endpoint.
  • For testing, firstly send any image request to Repeater tab by Ctrl + R.
  • firstly, try the most common payload - ../../../../etc/passwd in ?filename= parameter and send the request. Failed path traversal attempt using ../ payload in BurpSuite
  • Hence, this payload didn’t work as traversal sequences are getting blocked because it is mentioned in lab description that filename must end with the expected file extension, so we try another payload that ends with file extension using NullByte - ../../../../etc/passwd%00.png
  • A Null Byte (\0) is a special binary character used in many programming languages and C-based systems to indicate end of a string. %00 is the URL encoded variant of \0 NullByte.
  • Since PHP < 5.3.4 uses C functions under the hood for file access and after processing the URL, it decodes the %00 to \0. Therefore C functions stop reading the string at NullByte helps in bypassing the file extension restriction. Successful null byte injection payload using %00 to bypass .png validation
  • And💥Booom!, We got the contents of /etc/passwd file.
  • And Finally, the Lab is solved. PortSwigger Lab solved confirmation after bypassing file extension check using null byte

🧠 Conclusion

  • This lab involves a case of path traversal vulnerability, where the filename parameter is used to load product images from server where the application validates that the supplied filename ends with the expected file extension.
  • Since the application only checks if the request ends with a expected file extension like .png in this case, an attacker may evade this filter if using vulnerable application versions by inserting NullByte after the payload and before the file extension like /payload%00.png — to bypass restrictions and access sensitive files.
  • By inserting %00 NullByte before the file extension, we successfully escaped the file extension filter and accessed the sensitive file /etc/passwd due to improper path validation.

🧾 Related CWEs

CWE IDTitleDescription
CWE-22Improper Limitation of a Pathname to a Restricted DirectoryThe application allows path traversal by not properly restricting file path input.
CWE-158Improper Neutralization of Null Byte or NUL CharacterThe application fails to handle null bytes correctly, allowing attackers to truncate strings and bypass extension filters.
CWE-180Incorrect Behavior Order: Validate Before CanonicalizeInput is validated before being decoded or canonicalized, leading to incorrect security decisions.