| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Path Traversal (Start-of-Path Validation Bypass) |
| Difficulty | Practitioner |
| Objective | Retrieve the contents of /etc/passwd |
File Path Traversal, Validation of Start of Path¶
A shopping app displaying item images loads something like:
<img src="/image?filename=/var/www/images/53.jpg">
Intercepting the request on Burp:
GET /image?filename=/var/www/images/53.jpg HTTP/2
This time the full path is passed in directly, including the base folder — different from the previous labs where only the filename was supplied. The app validates that the supplied path starts with /var/www/images. If it only checks the start of the string and doesn't canonicalize the path afterward, we can include that expected prefix and then traverse out of it:
GET /image?filename=/var/www/images/../../../../etc/passwd HTTP/2
The path starts with /var/www/images as required, so validation passes, but the trailing ../../../../etc/passwd still gets resolved by the filesystem and walks back up to /etc/passwd.
This will get the lab solved