Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

stripping of lab "File path traversal, traversal sequences stripped non-recursively"

Momo | Last updated: Aug 09, 2021 05:25PM UTC

Hi, Thank you so much for this awesome platform, I am having great vacation thanks to you. I was wondering how the stripping worked on the lab indicated in the subject. Indeed, I do not understand why this sequence "filename=/////41.jpg" works (renders the same as "filename=41.jpg" given that the stripping is non-recursive. Same for "..//41.jpg". I would assume that only "../" would we stripped then the "/" remains, which would make the server process "/41.jpg" Finally, I do not understand why "....//41.jpg" doesn't work. I assume the server processes ../41.jpg because only the 3rd & 4th dot and 1 / are stripped. But I don't understand why adding ".." to "..//" changes anything. My assumption is that the stripping script reads from left to right and as soon as he encounters "../" or "/", he strips it. I know it's not the case given my observations so I wanted to know how it worked. Cheers Momo

Ben, PortSwigger Agent | Last updated: Aug 11, 2021 07:26AM UTC

Hi Momo, The inner sequence is being stripped in this particular lab so the inner ../ is removed leaving behind .. / (sorry, this is slightly difficult to conceptualise without images). The .. / then reverts to a simple ../ and is then used as a traversal sequence allowing you to view files on the underlying file system of the server.

Momo | Last updated: Aug 11, 2021 02:48PM UTC

Hey, thanks for the answer, what if exactly the inner sequence ? you mean that at the beginning and the end of the sequence nothing in stripped ? then why would "/41.jpg" work like "41.jpg" as well as "../41.jpg" ? I'm a bit confused :/

Michelle, PortSwigger Agent | Last updated: Aug 16, 2021 03:29PM UTC

Hi With the examples you have given, "/41.jpg" and "../41.jpg" details would be stripped so that you are left with 41.jpg and so the image can be returned. If you used a sequence such as ....//41.jpg, once ../ has been stripped, you would still be left with ../41.jpg which would then look in a different folder and fail to find the image. I hope that makes sense, have another read through the resources and try to think about how the final file path will look after the server has applied any processing. Good luck with the rest of the labs!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.