A3:2021 | Path Transversal (5) | Cycubix Docs
PreviousA3:2021 | Path Transversal (4) | Cycubix DocsNextA3:2023 | Path Transversal (6) | Cycubix Docs
Last updated
Last updated
Retrieving other files with a path traversal
Path traversals are not limited to file uploads; when retrieving files, it can be the case that a path traversal is possible to retrieve other files from the system. In this assignment, try to find a file called path-traversal-secret.jpg
Solution
Hint: Can you specify the image to be fetched?. Look at the location header...Use /random?id=1 for example to fetch a specific image. Use /random/?id=../../1.jpg to navigate to a different directory. '..' and '/' are no longer allowed, can you bypass this restriction?. Use url encoding for ../ to bypass the restriction.
Open Zap or Burp Interceptor. Then in WebGoat hit on "Show Random cat picture".
The request and response looks like this:
With ZAP
It could happen that you see the request with the following path:
In that case, go into the developer tools and check the path.
In that case, find the request the correct request.
See if you can edit the request according to this path to see if we can manipulate the request:
Since ../ is illegal, we can try to encode it as URL with ZAP decoder. In the case of ZAP, to decode you need to go to Tools/Encode-Decode-Hash.
Example in Zap Decoder
We then replace the encoded value with an alternative encoded value for id=%2e%2e%2f%2e%2e%2fpath-transversal-secret
The system could now process the request.
We have now find the path to the files. Let's go ahead and find the file provided in the exercise "path-traversal-secret.jpg". Change the request.
See the answer. Make sure you selected "text" in the body request. If not you will not see the reply.
Getting your SHA-512
Go to https://sha512.online/ and imput a string with your username for WebGoat.
It will generate a HASH. Submit the secret answer.
