This blog discusses the Information Disclosure labs provided by portswigger.
This write-up for the lab Directory Traversal , simple case is part of my walkthrough series for PortSwigger’s Web Security Academy.
What is a Directory Traversal Vulnerability
A directory traversal attack is when someone uses file and path names to access data on a computer system. They take advantage of the fact that some operating systems allow users to input any text they want as a file name. By doing this, they can access files and directories that they shouldn’t have access to, like important system files and confidential information. The directory traversal attack, which can also be referred to as “directory climbing” or “directory hopping”, is a type of malicious activity. Directory traversal is a security flaw that occurs when a computer system does not properly filter user input, allowing unauthorized access to files stored on the system.
How to Prevent a Directory Traversal Attack
Directory traversal, also known as path traversal, refers to a security vulnerability commonly found in web applications. This attack is possible when programming languages allow spaces in file names and the operating system does not always check for them. To prevent this, a web application firewall can be used to filter out requests with double dots or users can be restricted from uploading files with spaces in the filename. In today’s digital era, companies are greatly concerned about the security of their websites. Portswigger’s service for preventing directory traversal offers strong protection against hackers and various cyber attacks.
Directory Traversal Vulnerability Labs with Use cases and Solutions !!!
Let’s access the lab.
Step-1 Firstly, use burp suite to intercept the request.
Step-2 Use Burp Suite to intercept and modify a request that fetches a product image.
Here we forgot to capture the image request we captured the page request, so we have to capture the request by opening the image in new tab.
Step-3 now we will modify the parameter to ../../../etc/passwd.
Observe that the request has the contents of /etc/passwd.
Let’s access the lab.
Step-1 Here we can clearly see that the URL is accepting parameter and calling the ID.
Step-2 Now with the use of burp capture the request of image by opening it in new tab.
Step-3 Send it to repeater .
Step-4 Now here we give it a value to the parameter i.e /etc/passwd and observed that the response contains the contents of /etc/passwd.
Let’s access the lab.
Step-1 As we can clearly see, this one is the lab traversal sequences non-recursively. So here we have to use a different pattern to bypass it.
Step-2 Now First intercept the request and try to modify it .
Step-3 Now after using ../../../etc/passwd pattern it shows response ” No such file”.
Step-4 Now let’s intercept the image request and modify the parameter with the following pattern – ….//….//….//etc/passwd.
Step-5 Modify the parameter.
Observe that the response contains the contents of the /etc/passwd file.
The lab is solved.
Let’s access the lab.
Step-1 Here we will first intercept the image request.
Step-2 Then send it to repeater.
Step-3 Firstly try previous payloads and see the response i.e no such file.
Step-4 Now lets try the URL encryption by using the burp decoder tab which has built-in encoding feature.
Let’s modify the parameter with the payload.
Observe that the response was similar to previous one.
Step-5 Now it’s time to use the Intruder. So send the request to intruder.
Step-6 Let’s define the attack type, i.e., sniper now place/Add the symbol after “filename=”.
Step -7 use the burp’s path traversal, or list, or we can use the other payload and can copy them we can get the directory traversal payload from here.
Now start the attack.
Step-8 Observe the attack and at the end we got 3 payloads with greater, length so copy the payload or the lab is solved itself after the attack is complete.
Let’s Begin with the lab.
Step-1 Intercept the image request and send it to repeater.
Step-2 we can clearly see the lab description. If an application needs the user to input a filename that starts with a specific base folder like /var/WWW/images, it may be vulnerable to attacks where the user inputs the base folder and then uses traversal sequences to access other files or folders. For example- /var/www/images/etc/passwd. Alternatively, there are many payloads.
After sending the request, we can clearly observer the response and the lab is solved with the contents.
Let’s access the lab.
Step-1 lets intercept the request of the image and send it to repeater.
Step-2 Now all we have to send the payload with the acceptable file extension i.e JPG or .png whatever it validates . For example:-../../../etc/passwd%00.jpg
Recent Comments