🗂️PortSwigger Lab Writeup: File Path Traversal - Validation of Start of Path
🎯 Objective
The objective of this lab is to exploit a path traversal vulnerability in a web application where the application validates that the user-supplied filename must begin with a specific base directory path (e.g., /var/www/images) before processing and to retrieve the contents of the sensitive file /etc/passwd.
- Lab URL:
https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path - Category: Path Traversal (Directory Traversal)
- Difficulty: Practitioner
💉 Payloads Used
- Payload 1 - ❌
../../../../etc/passwd
- Payload 2 - ✅
/var/www/images/../../../../etc/passwd
🧪 Exploitation Steps
🕵️Step 1: Observe the Website
- Firstly open the lab URL in your browser, and observe what it is about and how it works.
- At first glance, the website seems to be a shopping website with very unique and unrelated products. In the lab description, it is mentioned that the vulnerability is in the display of product images.
🔍Step 2: Find the Vulnerable Endpoint
- Open the network tab of Developer Tools to see what resources the website loads.
- The site dynamically loads product images by requesting
/image?filename=..., as seen in the network tab. - You can also verify this by looking at the source code of website.
- This could be the vulnerable endpoint as it shows the path traversal patterns
🧰Step 3: Capture Requests in BurpSuite
- Start the BurpSuite and reload the website to capture requests.
- By default, BurpSuite hides the image requests in HTTP History, so first enable the images request filter.
- After enabling images filter, you would see all the requests you saw in network activity tab of developer tools.
🚀Step 4: Send the Payload
- Based on our initial observations, the
/image?filename=...endpoint appears to be the most likely vulnerable endpoint. - For testing, firstly send any image request to Repeater tab by Ctrl + R.
- firstly, try the most common payload -
../../../../etc/passwdin?filename=parameter and send the request.
- Hence, this payload didn’t work as traversal sequences are getting blocked because it is mentioned in lab description that filename must start with the expected base folder, so we try another payload that begins with base path -
/var/www/images/../../../../etc/passwd
- And💥Booom!, We got the contents of
/etc/passwdfile. - And Finally, the Lab is solved.
🧠 Conclusion
- This lab involves a case of path traversal vulnerability, where the
filenameparameter is used to load product images from server where the application transmits the full file path and validates that the supplied path starts with the expected folder.. - Since the application only checks if the request starts with a expected base path like
/var/www/imagesin this case, an attacker can evade this filter by inserting traversal characters after the base path like/base-path/../instead of../— to bypass restrictions and access sensitive files. - By inserting
../sequences after the base path, we sucessfully escaped the filter and accessed the sensitive file/etc/passwddue to improper path validation.
🧾 Related CWEs
| CWE ID | Title | Description |
|---|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Allows attackers to access files outside the intended directory using traversal sequences like ../. |
| CWE-24 | Path Traversal: '..\filedir' | Exploitation via alternative traversal syntax such as backslashes to bypass filters. |
| CWE-41 | Improper Resolution of Path Equivalence | Fails to resolve and validate canonical paths, allowing attackers to bypass access controls using crafted paths. |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | Input is validated before being decoded or canonicalized, leading to incorrect security decisions. |