Skip to main content

🗂️PortSwigger Lab Writeup: File Path Traversal - Traversal Sequences Stripped with Superfluous URL-decode

PortSwigger lab description page for Path Traversal – Superfluous URL Decode

🎯 Objective

The objective of this lab is to exploit a path traversal vulnerability in a web application where the URL is filtered for traversal sequences before being fully URL-decoded and to retrieve the contents of the sensitive file /etc/passwd.

💉 Payloads Used

  • Payload 1 - ❌
../../../../etc/passwd
  • Payload 2(Single URL encoding) - ❌
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
  • Payload 3(Double URL encoding) - ✅
%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32fetc/passwd

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Path Traversal lab instance showing vulnerable shopping site
  • At first glance, the website seems to be a shopping website with very unique and unrelated products. In the lab description, it is mentioned that the vulnerability is in the display of product images.

🔍Step 2: Find the Vulnerable Endpoint

  • Open the network tab of Developer Tools to see what resources the website loads. Developer tools showing image requests in the network tab
  • The site dynamically loads product images by requesting /image?filename=..., as seen in the network tab.
  • You can also verify this by looking at the source code of website. HTML source code revealing vulnerable image loading endpoin
  • This could be the vulnerable endpoint as it shows the path traversal patterns

🧰Step 3: Capture Requests in BurpSuite

  • Start the BurpSuite and reload the website to capture requests.
  • By default, BurpSuite hides the image requests in HTTP History, so first enable the images request filter. BurpSuite HTTP history filter
  • After enabling images filter, you would see all the requests you saw in network activity tab of developer tools. Captured image requests in BurpSuite

🚀Step 4: Send the Payload

  • Based on our initial observations, the /image?filename=... endpoint appears to be the most likely vulnerable endpoint.
  • For testing, firstly send any image request to Repeater tab. Sending image request to Repeater Tab in BurpSuite
  • firstly, try the most common payload - ../../../../etc/passwd in ?filename= parameter and send the request. Failed path traversal attempt using ../ payload in BurpSuite
  • Hence, this payload didn’t work as traversal sequences are getting blocked, so we try another payload with URL encoding to see if it can bypass the filter - %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
  • For URL encoding the payload, select the traversal sequences in Repeater and right click to open the dialog box. BurpSuite Repeater showing selected payload for URL encoding
  • From the dialog box, Click on Convert Selection --> URL --> URL-encode all characters. BurpSuite context menu for URL encoding selected payload
  • Now, our payload is URL encoded and ready to be sent to the target. Failed Single URL-encoded path traversal payload in BurpSuite
  • Hence, this payload also didn’t work as traversal sequences might be getting blocked, so we try another payload with Double URL encoding to see if it can bypass the filter - %25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32fetc/passwd
  • Repeat the same process for double encoding the payload. Select the URL-encoded traversal sequences and again URL encode it. Second level URL encoding applied to payload in BurpSuite
  • Now, our payload is Double URL encoded and ready to be sent to the target. Successful path traversal using Double URL-encoded payload
  • And💥Booom!, We got the contents of /etc/passwd file.
  • And Finally, the Lab is solved. PortSwigger Lab Solved after successful double URL encoding exploit

🧠 Conclusion

  • This lab involves a case of path traversal vulnerability, where the filename parameter is used to load product images from server where traversal sequences are getting filtered before the input is fully decoded, allowing bypasses via double URL encoding.
  • Since ../ sequences are filtered only once but URL is decoded twice therefore, an attacker can evade this filter by double URL encoding to bypass restrictions and access sensitive files.
  • By double encoding ../ sequences, we traversed out of the intended /image directory and accessed the sensitive file /etc/passwd due to improper handling of URL encoding.

🔐 Related CWEs

Below are the Common Weakness Enumerations (CWEs) relevant to this vulnerability and lab:

CWE IDNameDescription
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')This is the core vulnerability, where an attacker can access files outside the intended directory using traversal sequences such as ../.
CWE-180Incorrect Behavior Order: Validate Before CanonicalizeThe main cause of this lab’s vulnerability. Input is filtered for dangerous patterns before being properly decoded, allowing bypass via encoded payloads.
CWE-173Improper Handling of Alternate EncodingsThe application fails to correctly handle double URL encoding, enabling attackers to evade filters.
CWE-116Improper Encoding or Escaping of OutputAlthough more common in output contexts, this CWE is relevant due to the mishandling of encoded input prior to validation.