Introduction

Hello, everyone! How are you all doing? In this article, we will cover PortSwigger Web Security Lab number 2, which focuses on File Path Traversal with traversal sequences blocked using absolute path bypass. We have already covered the 1st article, so let’s start this process step by step practically.

Lab Description

In this lab, we have file upload vulnerabilities in the product images. The application has implemented certain security measures that block traversal sequences. However, we can exploit it by using absolute paths.

To solve this lab, you need to retrieve the /etc/passwd file.

Lab Description

first, you need to access the lab. Open your Burp Suite and enable the proxy. Add the target URL to the scope so that we can filter the necessary traffic later.

Now, view any product in the application and refresh the page. You will see the results in Burp’s history. Assuming you have already added the application’s URL to the scope, go to the HTTP history and select “Show only in scope” and tick the “image” option. Apply the filter.

Once you have done this, send any .jpg request to the repeater tab. We will perform further testing on this tab.

You can see that when I used filename=../../../etc/passwd, nothing was shown. Now, let’s directly use /etc/passwd.

GET /image?filename=/etc/passwd

When I used /etc/passwd, I successfully retrieved the /etc/passwd file.

So, we have successfully solved the PortSwigger Web Security Lab’s File Path Traversal with traversal sequences blocked using absolute path bypass.

You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.

To continue studying check out the next lab i.e. File Path Traversal, Traversal Sequences Stripped Non-Recursively, cover the current lab before visiting the next lab. Good Luck!

FAQS