Posts

Showing posts from June, 2020

Self Notes: Web Security Academy Directory Traversal Lab 6

Image
Link to Lab 6 To solve this lab, we need to bypass the application's check for file type extension and exploit the directory traversal vulnerability in the image display endpoint. Check whether the application filters our input: Response from Server: The server doesn't recognize the file, let's try bypassing with null byte: Response from Server: Lab Solved!

Self Notes: Web Security Academy Directory Traversal Lab 5

Image
Lab 6 Link To solve this lab we need to exploit path traversal vulnerability in the image display endpoint, the application validates the supplied path starts with the expected folder. Let's test the application behavior: Server Response: Nothing is blocked so we exploit the application using this request: Response from Server: Lab Solved!

Self Notes: Web Security Academy Directory Traversal Lab 4

Image
Link to Lab 4 This Lab has a path traversal vulnerability in the image display endpoint, it attempts to defeat exploitation by stripping the path traversal sequence from the user input before decoding and using the input. The task is to read /etc/passwd  file. As usual, test with normal exploit: Response from Server: The server responded with the image, we can confirm that the input is being stripped. Let's try encoding our input be before sending to the server and hopefully the server will decode it for us: Server Response: The server disagrees, let try doubly encoding the input: Server Response: Lab Solved!

Self Notes: Web Security Academy Directory Traversal Lab 3

Image
Link to Lab 3   In this Lab, the Task is to retrieve the content of the /etc/passwd  by exploiting path traversal vulnerability in the product display image endpoint. The application attempts to block exploitation by stripping path traversal sequences from the input before usage. Attempting to exploit the vulnerability with normal path traversal sequences: The server responded with: We can inference that our path traversal sequences have been stripped, let's test a bypass by doubling the sequences: Server Response: Lab Solved!

Self Notes: Web Security Academy Directory Traversal Lab 2

Image
Link to Lab 2 This Lab Contains a path traversal vulnerability in the display product image endpoint. The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory. First, we try to exploit this lab using the normal traversal sequences: The server responds with an error showing path traversal is blocked. Let's modify the request with an absolute path: The server responds with: Lab Solved!

Self Notes: Web Security Academy Directory Traversal Lab 1

Image
Link to Lab1   The task of the Lab is to retrieve the content of /etc/passwd by exploiting a file path vulnerability in the display of product images. The image display endpoint is: To exploit the path traversal vulnerability, we send the following request: The server responds with the following: The /etc/passwd  has been accessed. Lab Solved!