Directory Traversal File Include
Check List
Methodology
Black Box
Directory Traversal (Local File Inclusion)
Identify endpoints serving static assets or files such as /assets/, /static/, /files/, or similar paths
Map the base directory by requesting valid assets like /assets/logo.png or /assets/style.css
Capture legitimate request using proxy tools like Burp Suite or curl
Modify the file path parameter to include traversal sequence ../ immediately after the asset base
Construct payload URL as https://target.com/assets/../build.sbt
Send request and inspect response for non-asset file contents
Test for project configuration files using /assets/../.git/config
Attempt access to build files with /assets/../build.sbt or /assets/../pom.xml
Target application configuration via /assets/../application.conf or /assets/../conf/routes
Test traversal to root directory files like /assets/../../../../../etc/passwd
Verify Windows environments with /assets/../../../../../windows/win.ini
Check response headers and body for file contents outside assets directory
Confirm successful read by presence of expected file markers like [core] in .git/config
Document full request URL and response snippet showing sensitive data
Test encoded variations using %2e%2e%2f for ../ to bypass basic filters
Attempt double encoding %252e%252e%252f if single encoding is blocked
Verify if trailing slash affects traversal like /assets/../build.sbt/
Test null byte injection with /assets/../build.sbt%00.png if language supports it
Check if file extension enforcement can be bypassed by appending .png to traversal payload
Assess depth of traversal needed based on directory structure from valid assets
File Path & File Access Vulnerabilities
Perform reconnaissance by crawling the target website to enumerate all accessible endpoints
Use tools like gau to extract archived URLs from various sources and save to a file
Employ Burp Suite Spider or custom scripts to crawl and identify hidden or dynamic parameters
Collect all URLs into a list for further analysis
Filter URLs to identify parameters tied to file operations such as
file=, document=, folder=, root=, path=, pg=, style=, pdf=, template=,
php_path=, doc=, page=, name=, cat=, dir=, action=, board=, date=, detail=,
download=, prefix=, include=, inc=, locate=, show=, site=, type=, view=,
content=, layout=, mod=, conf=, url=Automate parameter filtering using gf patterns or Burp Suite search functionality
Utilize scripts like PwnTraverse to highlight potentially dangerous parameters in the URL list
Manually inspect isolated parameters for user-controlled input leading to inclusion
Capture baseline requests for each parameter using proxy tools like Burp Suite or browser developer tools
Test parameters with legitimate file names to confirm normal functionality
Inject traversal sequences like ../ to attempt escaping the intended directory
Replace parameter values with payloads such as ../etc/passwd or ../../etc/passwd
Send modified requests and examine response contents for sensitive file disclosure
Verify if responses contain system file contents like /etc/passwd or directory listings
Test additional payloads including ../../../var/www/html/config.php and ../../../../root/.ssh/id_rsa
Check HTTP response status codes for successful access such as 200 OK
Attempt traversal to application-specific files like config.php or database credentials
Test across different traversal depths by adding more ../ sequences
Verify vulnerability on Unix/Linux by targeting /etc/passwd and on Windows by targeting files like C:/Windows/system.ini
Test parameters across all HTTP methods like GET and POST if applicable
Check persistence of vulnerability with different file extensions and URL encodings
Path Traversal Filter Bypass
Many applications that place user input into file paths implement some kind of defense against path traversal attacks, and these can often be circumvented
if application blocks or strips directory traversal sequence there is many bypassing technique is available
we might directly access absolute path file=/etc/passwd with out using any traversal
You might be able to use various non-standard encoding, such as ..%c0%af or ..%252f, to bypass the input filter
filter-bypass-technique might user ....// or ....\ if one ..../ or ....\ is blocked than after removing them we traverse it
If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences. For example filename=/var/www/images/../../../etc/passwd
If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension. For examplefilename=../../../etc/passwd%00.png
File Upload Path Traversal (Upload-Based Path Traversal)
locate file-related endpoints like /fileupload
Capture the file upload request using a proxy tool like Burp Suite or curl
Test file upload functionality by sending a benign file with a command like
curl -X POST -F "file=@test.txt" https://target.com/fileupload/Verify if the uploaded file is publicly accessible by checking the returned URL in a browser
Confirm the file’s storage location, noting any CDN or external hosting like cdn.bubble.io
Attempt to upload a file with a path traversal sequence in the filename, such as ../../../../../../../etc/passwd
Send the traversal payload using curl and Burp Suite Request
curl -X POST -F "file=@../../../../../../../etc/passwd" https://target.com/fileupload/Check the response for a URL pointing to the uploaded file and access it in a browser
Test multiple traversal depths (../../, ../../../, etc.) to bypass directory restrictions
Attempt to access additional sensitive files like /etc/group, /etc/hosts, /etc/hostname, /etc/resolv.conf, /etc/fstab, /etc/profile, /etc/issue, /etc/nginx/nginx.conf, and /etc/mysql/mariadb.conf.d/50-server.cnf
White Box
Cheat Sheet
Last updated