Web Hacking Tips
  • Web App Hacking Tips & Tricks
  • Weekly Tips
    • Week 1 - XSS Filter Evasion
    • Week 2 - CSRF Token Bypass
    • Week 3 - CORS Exploitation
    • Week 4 - Finding XSS
    • Week 5 - CSRF Explanation
    • Week 6 - XSS Types
    • Week 7 - Advanced SQLMap
    • Week 8 - Stealing HttpOnly Cookies from PHPINFO
    • Week 9 - SQLMap Tamper Scripts
    • Week 10 - XSS Obfuscated Payloads
    • Week 11 - XS-Search: Cross-Origin Enumeration
    • Week 12 - Subdomain Takeovers
    • Week 13 - XSS Keylogger
    • Week 14 - Algolia API Keys
    • Week 15 - GraphQL Introspection
    • Week 16 - Naming BurpSuite Repeater Tabs
    • Week 17 - GoBuster Tips
    • Week 18 - Burp Request to Python Script
    • Week 19 - Customizing Nikto Scans
    • Week 20 - Google Phishing Page
    • Week 21 - Google BITB
    • Week 22 - XSS Through SVG File
    • Week 23 - FoxyProxy Extension
    • Week 24 - CSP Bypasses
    • Week 25 - Pilfering LocalStorage with XSS
    • Week 26 - Cloud SSRF
    • Week 27 - Blind XSS
    • Week 28 - Firebase Misconfigurations
    • Week 29 - XSS to CSRF
  • Week 30 - SQLMap Debugging
  • Week 31 - WayBack Machine
  • Week 32 - O365 BITB
  • Week 33 - Burp Intruder Attacks
  • Week 34 - GraphQL Bruteforcing
  • Week 35 - User Accounts
  • Week 36 - CVE Submission
  • Week 37 - Second Order SQLi
  • Week 38 - Out of Band SQLi
  • Week 39 - Broken Link Hijacking
  • Week 40 - JWT Testing
  • Week 41 - BURP ATOR
  • Week 42 - ProxyChains
  • Week 43 - CSS Keylogging
  • Week 44 - SVG SSRF
  • Week 45 - Request Smuggling
  • Week 46 - XSS Payloads
  • Week 47 - DNS Re-binding
  • Week 48 - SSRF Bypass
  • Week 49 - File Upload Bypass
  • Week 50 - CRLF Injection
  • Week 51 - HTML to PDF
  • Week 52 - Parameter Pollution
  • Week 53 - Pre-Account Takeover
  • Week 54 - Race Conditions
  • Week 55 - SQLi to RCE
  • Week 56 - Cloud SSRF PrivEsc
  • Week 57 - Response Queue Poisoning
  • Week 58 - Directory Traversal
  • Week 59 - File Upload -> CSRF
  • Week 60 - Modern CSRF Attacks
Powered by GitBook
On this page

Week 58 - Directory Traversal

Did you know that most modern web servers do not serve content like:

/var/www/html/register.php => File stored on server

GET /register.php => Request to get static file

Instead, many servers rely on dynamically defined routes:

Router.route(“/register”)

.get(require(“.getRegisterFields.js”)

.post(require(“.addNewUser.js”)

These dynamically defined routes are often used to generate an additional request (say, to an API) before returning data to a user. This could look like the following:

GET /profile?id=1 => Request generated by user HOST: example[.]com

GET /api/v1/users/profile/1 => Request generated by the server, to the internal API HOST: internal[.]example[.]com

CONTENT-TYPE: application/json => Response to user {“name”:”jake”}

How can we exploit this? Let’s try the below scenario:

GET /profile?id=../ => Request generated by user with directory traversal payload HOST: example[.]com

GET /api/v1/users/profile/../ => Request generated by the server, to the internal API GET /api/v1/users/ => Request normalized and executed by the internal API

CONTENT-TYPE: application/json => Data for all users returned {“name”:”jake”, “name”:”dahvid”, “name”:”james”}

And we can view information for all users within the API! The big takeaway from this is to keep in mind that the server may be taking your input and appending it to another back-end request, allowing you to manipulate what data is returned to you. See if you can trigger error messages to help you enumerate further, or try some of the below tips:

-Directory traversal attempts

-Fuzzing using valid URL characters (%23 (#), %3f (?), %26 (&), %2e (.), %2f (/), %40 (@))

-Different headers returned for certain pages

-Error messages revealing internal API’s and services

PreviousWeek 57 - Response Queue PoisoningNextWeek 59 - File Upload -> CSRF

Last updated 2 years ago