The Wild World of Path Traversal: Sneaking Around the Web’s Dark Corners

This summarizes what I learned from portswigger’s course on path traversal

Picture this: you’re exploring an old mansion. You’re meant to stay in the guest room, but who can resist the temptation of snooping through the forbidden rooms? That’s basically what a path traversal vulnerability lets you do on a website — poke around where you’re not supposed to. Imagine having access to http://example.com/users/112/pics, but then sneakily going to http://example.com/users/112/pics/../../../etc/passwd. Boom! You’re now rifling through the mansion’s hidden attic of secrets.

Common Obstacles: The Website’s Guard Dogs

1. Escaping the ../../ Chase: Websites aren’t just going to let you waltz around with ../../, but that doesn’t mean you’re stuck. Absolute paths like /etc/passwd can often sneak past. And if you want to flex, try throwing in some Nested Traversal Sequences (NTS), like ....// or ....\/. They may seem like gibberish, but to a vulnerable system, they just look like your good ol’ ../.
2. Escaping the Escape Hatch: Sometimes, websites are a bit paranoid and try to escape your every move. No problem! Time to whip out the URL encoding magic. Try encoding your ../, double encoding it, or mix it up with other encodings until the site lets its guard down.
3. Home is Where the Current Directory Is: Occasionally, the site might be picky and want you to include the current directory in your sneaky path. Just toss in the full path like filename=/var/www/images/../../../etc/passwd and see if that does the trick.
4. Expected Extensions: File Extensions, but Make It Fancy: Some websites are like fashion snobs and won’t accept your paths unless they end with a .jpg or some other ‘approved’ extension. When that happens, just slap on a null byte like filename=../../../etc/passwd%00.png. Null bytes say, “I’m ending the path here,” but they dress it up with a fake extension to keep up appearances.

Path Traversal Prevention: Keeping the Mansion Secure

Now, if you’re on the good side of things and want to prevent this mess, here’s the deal: Don’t let user inputs go directly to your APIs like unsupervised toddlers with crayons in a white room. But if you must, for the love of security, scrub that input clean! Filter it, sanitize it, and make sure it can’t sneak off to places it shouldn’t be.

Path traversal is like trying to take shortcuts through the web’s alleyways. Sometimes you get away with it, but other times you’ll run into obstacles or a fierce guard dog that sends you packing. But whether you’re the sneaky intruder or the security gatekeeper, knowing these tricks and tips keeps you ahead of the game. Happy hacking — ethically, of course!