Path traversal while uploading files

In this assignment, the goal is to overwrite a specific file on the file system. Of course, WebGoat cares about the users so you need to upload your file to the following location outside the usual upload location.

Solution

1. Hint: Try updating the profile WebGoat will display the location. Look at the displayed location how is the file name on the server constructed?. Does the server validate any input given in the full name field?

2. Open the interceptor with Burp or Launch Zap with the Break.

3. Go to WebGoat, upload your file. Then go to Burp/ZAP and find the POST request.

Request on Zap

Request on Burp

• Then add "../" in front of test under full name and see the answer.

With Zap

With Burp