# Week 58 - Directory Traversal

Did you know that most modern web servers do not serve content like:

`/var/www/html/register.php => File stored on server`

`GET /register.php => Request to get static file`

Instead, many servers rely on dynamically defined routes:

`Router.route(“/register”)`&#x20;

`.get(require(“.getRegisterFields.js”)`&#x20;

`.post(require(“.addNewUser.js”)`

These dynamically defined routes are often used to generate an additional request (say, to an API) before returning data to a user. This could look like the following:

`GET /profile?id=1 => Request generated by user HOST: example[.]com`

`GET /api/v1/users/profile/1 => Request generated by the server, to the internal API HOST: internal[.]example[.]com`

`CONTENT-TYPE: application/json => Response to user {“name”:”jake”}`

How can we exploit this? Let’s try the below scenario:

`GET /profile?id=../ => Request generated by user with directory traversal payload HOST: example[.]com`

`GET /api/v1/users/profile/../ => Request generated by the server, to the internal API GET /api/v1/users/ => Request normalized and executed by the internal API`

`CONTENT-TYPE: application/json => Data for all users returned {“name”:”jake”, “name”:”dahvid”, “name”:”james”}`

And we can view information for all users within the API! The big takeaway from this is to keep in mind that the server may be taking your input and appending it to another back-end request, allowing you to manipulate what data is returned to you. See if you can trigger error messages to help you enumerate further, or try some of the below tips:

-Directory traversal attempts&#x20;

-Fuzzing using valid URL characters (%23 (#), %3f (?), %26 (&), %2e (.), %2f (/), %40 (@))&#x20;

-Different headers returned for certain pages&#x20;

-Error messages revealing internal API’s and services

![](/files/pMC9uAMWIdjTYuNOpbOZ)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/week-58-directory-traversal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.