A3:2021 | Path Transversal (3) | Cycubix Docs

Path traversal while uploading files

The developer became aware of the vulnerability and implemented a fix that removed the ../ from the input. Again the same assignment, but can you bypass the implemented fix?


  • Just like in the previous lab, we will upload an image and intercept the request with ZAP or Burp.

  • Once we intercept it we analyze the POST request and we think how to bypass it. One of the hints says "The new and improved version removes ../ from the input, can you bypass this?".

  • We will try to bypass it with

  • Now check the response on Zap.

Last updated