A3:2021 | Path Transversal (5) | Cycubix Docs

Retrieving other files with a path traversal

Path traversals are not limited to file uploads; when retrieving files, it can be the case that a path traversal is possible to retrieve other files from the system. In this assignment, try to find a file called path-traversal-secret.jpg


  • Hint: Can you specify the image to be fetched?. Look at the location header...Use /random?id=1 for example to fetch a specific image. Use /random/?id=../../1.jpg to navigate to a different directory. '..' and '/' are no longer allowed, can you bypass this restriction?. Use url encoding for ../ to bypass the restriction.

  • Open Zap or Burp Interceptor. Then in WebGoat hit on "Show Random cat picture".

  • The request and response looks like this:

With ZAP

  • It could happen that you see the request with the following path:

    GET http://localhost:8080/WebGoat/images/cats HTTP/1.1

In that case, go into the developer tools and check the path.

  • In that case, find the request the correct request.

  • See if you can edit the request according to this path to see if we can manipulate the request:

  • Since ../ is illegal, we can try to encode it as URL with ZAP decoder. In the case of ZAP, to decode you need to go to Tools/Encode-Decode-Hash.

Example in Zap Decoder

  • We then replace the encoded value with an alternative encoded value for id=%2e%2e%2f%2e%2e%2fpath-transversal-secret

  • The system could now process the request.

  • We have now find the path to the files. Let's go ahead and find the file provided in the exercise "path-traversal-secret.jpg". Change the request.

  • See the answer. Make sure you selected "text" in the body request. If not you will not see the reply.

  • Getting your SHA-512

Go to https://sha512.online/ and imput a string with your username for WebGoat.

It will generate a HASH. Submit the secret answer.

Last updated