Portswigger Labs
Lab 1: Simple Case
When viewing a product, this is the request that pops up:
Changing it to ../../../../../etc/passwd solves the lab.
Lab 2: Absolute PATH Bypass
This lab treats the supplied filename as relative to a default working directory.
Solve by entering /etc/passwd.
This bypasses whatever working directory since absolute PATH is used.
Lab 3: Non-recursively stripped sequences
This application strips all the path traversal sequences before using it.
Since this recursively strips the ../ characters, it is bypassable using ....//.
The website checks for the ../ string. In ....//, when ../ is removed, it becomes ../. Thus, this bypasses whatever stripping done.
Lab 4: Superfluous URL-decode
This lab is the same as above, except it blocks input containing ../ and then performs a URL decode before using it.
Just double URL encode this:
The above would be decoded to ..%2f, which is processed as ../. Since I technically did not use ../ directly, this bypasses whatever blacklist there is.
Lab 5: Validation at start of PATH
This lab checks whether the initial supplied path is 'correct' Just append ../../../../etc/passwd to the 'correct' path.
Lab 6: Validation of file extension
This lab checks whether the a valid image is retrieved by checking the extension.
Using a file upload technique, one can include %00.jpg to have the extension remain 'valid' since .jpg is part of the string.
However, when the string is URL decoded to be processed, the NULL byte truncates the rest of the string, preventing .jpg from being processed BUT still bypassing the file extension check.
Last updated