Introduction
Hello, friends. This is our 4th article on directory or path traversal. In this article, we will cover the PortSwigger Web Security Lab’s File Path Traversal, Traversal Sequences Stripped with Superfluous URL-decode, step by step practically.
Lab Description
In this lab, we have a file path traversal vulnerability in the product’s images. The lab has also implemented a security level that detects and blocks malicious input by URL decoding it.
To solve this lab, you need to access the /etc/passwd file.
Lab Solution
You can learn everything related to web security on our website. We upload the latest articles on web security topics daily, so stay with us.
Firstly, access the lab. After accessing it, set up the proxy in both your Burp and browser. Now, click on the view details of any product.
After clicking on view details, go to the Burp’s HTTP history and click on the filter. Tick the image option to see the requests and responses related to images.
You can see that I found a request with a .jpg name. Click on one of them and send it to the repeater for further testing. We will focus our testing on the filename= parameter.
I first tried /etc/passwd, but I didn’t get any results.
GET /image?filename=../../../../../etc/passwdThen, I tried ../../../../etc/passwd, but I received a 400 bad request. Similarly, I tried ….//….//….//….//etc/passwd, but I got nothing.
Next, I encoded the ../../../etc/passwd payload as ..%252f..%252f..%252fetc/passwd and tried again. In this process, I actually double-encoded the forward slash (/). The encoded value is %252f, and the decoded value is /.
If you encode the forward slash (/) twice in the URL, its form becomes %25%32%66.
So, the final encoded version of ../../../etc/passwd is ..%25%32%66..%25%32%66..%25%32%66etc/passwd.
When I put the payload (..%25%32%66..%25%32%66..%25%32%66etc/passwd) in the filename= parameter, I successfully retrieved the /etc/passwd file from the lab.
As you can see, we have successfully solved the PortSwigger Web Security Lab’s File Path Traversal, Traversal Sequences Stripped with Superfluous URL-decode.
You can learn everything related to web security on our website. We upload the latest articles on web security topics daily, so stay with us.
To continue studying check out the next lab i.e. File Path Traversal, Validation Of Start Of Path, cover the current lab before visiting the next lab. Good Luck!
FAQS
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
