Directory Traversal File Include

Check List

Methodology

Black Box

Directory Traversal (Local File Inclusion)

Identify endpoints serving static assets or files such as /assets/, /static/, /files/, or similar paths

Map the base directory by requesting valid assets like /assets/logo.png or /assets/style.css

Capture legitimate request using proxy tools like Burp Suite or curl

Modify the file path parameter to include traversal sequence ../ immediately after the asset base

Construct payload URL as https://target.com/assets/../build.sbt

Send request and inspect response for non-asset file contents

Test for project configuration files using /assets/../.git/config

Attempt access to build files with /assets/../build.sbt or /assets/../pom.xml

Test traversal to root directory files like /assets/../../../../../etc/passwd

Verify Windows environments with /assets/../../../../../windows/win.ini

Test encoded variations using %2e%2e%2f for ../ to bypass basic filters

Attempt double encoding %252e%252e%252f if single encoding is blocked

Verify if trailing slash affects traversal like /assets/../build.sbt/

Test null byte injection with /assets/../build.sbt%00.png if language supports it

File Path & File Access Vulnerabilities

Perform reconnaissance by crawling the target website to enumerate all accessible endpoints

Use tools like gau to extract archived URLs from various sources and save to a file

Employ Burp Suite Spider or custom scripts to crawl and identify hidden or dynamic parameters

Collect all URLs into a list for further analysis

Filter URLs to identify parameters tied to file operations such as

file=, document=, folder=, root=, path=, pg=, style=, pdf=, template=, 
php_path=, doc=, page=, name=, cat=, dir=, action=, board=, date=, detail=,
download=, prefix=, include=, inc=, locate=, show=, site=, type=, view=,
content=, layout=, mod=, conf=, url=

Automate parameter filtering using gf patterns or Burp Suite search functionality

Utilize scripts like _PwnTraverse to highlight potentially dangerous parameters in the URL list

Manually inspect isolated parameters for user-controlled input leading to inclusion

Capture baseline requests for each parameter using proxy tools like Burp Suite or browser developer tools

Test parameters with legitimate file names to confirm normal functionality

Inject traversal sequences like ../ to attempt escaping the intended directory

Replace parameter values with payloads such as ../etc/passwd or ../../etc/passwd

Send modified requests and examine response contents for sensitive file disclosure

Verify if responses contain system file contents like /etc/passwd or directory listings

Test additional payloads including ../../../var/www/html/config.php and ../../../../root/.ssh/id_rsa

Check HTTP response status codes for successful access such as 200 OK

Test across different traversal depths by adding more ../ sequences

Verify vulnerability on Unix/Linux by targeting /etc/passwd and on Windows by targeting files like C:/Windows/system.ini

Path Traversal Filter Bypass

Many applications that place user input into file paths implement some kind of defense against path traversal attacks, and these can often be circumvented

if application blocks or strips directory traversal sequence there is many bypassing technique is available

we might directly access absolute path file=/etc/passwd with out using any traversal

You might be able to use various non-standard encoding, such as ..%c0%af or ..%252f, to bypass the input filter

filter-bypass-technique might user ....// or ....\ if one ..../ or ....\ is blocked than after removing them we traverse it

If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences. For example filename=/var/www/images/../../../etc/passwd

If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension. For examplefilename=../../../etc/passwd%00.png

File Upload Path Traversal (Upload-Based Path Traversal)

locate file-related endpoints like /fileupload

Capture the file upload request using a proxy tool like Burp Suite or curl

Test file upload functionality by sending a benign file with a command like

curl -X POST -F "file=@test.txt" https://target.com/fileupload/

Verify if the uploaded file is publicly accessible by checking the returned URL in a browser

Confirm the file’s storage location, noting any CDN or external hosting like cdn.bubble.io

Attempt to upload a file with a path traversal sequence in the filename, such as ../../../../../../../etc/passwd

Send the traversal payload using curl and Burp Suite Request

curl -X POST -F "file=@../../../../../../../etc/passwd" https://target.com/fileupload/

Check the response for a URL pointing to the uploaded file and access it in a browser

Test multiple traversal depths (../../, ../../../, etc.) to bypass directory restrictions

Attempt to access additional sensitive files like /etc/group, /etc/hosts, /etc/hostname, /etc/resolv.conf, /etc/fstab, /etc/profile, /etc/issue, /etc/nginx/nginx.conf, and /etc/mysql/mariadb.conf.d/50-server.cnf

White Box

Cheat Sheet

PreviousBroken Authorization NextBypassing Authorization Schema

Last updated 1 month ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtagDirectory Traversal (Local File Inclusion)arrow-up-right

hashtagFile Path & File Access Vulnerabilities

hashtagPath Traversal Filter Bypassarrow-up-right

hashtagFile Upload Path Traversal (Upload-Based Path Traversal)

hashtagWhite Box

hashtagCheat Sheet