File path traversal, traversal sequences blocked with absolute path bypass

In this post we will walk step by step through how to solve File path traversal, traversal sequences blocked with absolute path bypass on PortSwigger. This lab’s difficulty is Practitioner and it is the second lab on Directory Traversal on Portswigger.

Link to lab: https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass

To start the lab click the ‘Access the Lab’ button.

As we begin the lab we encounter a shop page showcasing different products. It’s worth noting that the products may differ from the screenshot as PortSwigger Labs can vary the content with each lab session. So, don’t worry if your products look different.

When selecting a product it opens a page containing comprehensive details about the product.

Inspecting the source code we can observe an <img> tag referencing an image file named 47.jpg.

Bringing this request into Burp Suite Repeater we can manually attempt to attack the filename parameter.

In our pursuit of directory traversal our initial target is the /etc/passwd file, which is typically accessible to all users on a Linux system. To begin the attack it’s important to know the behavior of the ‘filename’ parameter. Given that it references an image file on the system (in this case, a JPG), we can reasonably assume that this parameter reads files and displays their contents in the browser.

We attempted to use the same payload as in our previous lab, ‘File path traversal, simple case,’ which was ../../../../../../etc/passwd. Unfortunately, we encountered an issue. It appears that the application is blocking the use of ../ in our payload.

We can make an attempt to access the file using an absolute path. An absolute path directly references a file without utilizing any traversal sequences. In this case, the payload would appear as /etc/passwd.

Our payload was successful and we have gained access to read the contents of the /etc/passwd.

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod