WebGoat Path Traversal 2 3 4

3 min readSep 19, 2020

WebGoat Path Traversal 2

Path traversal vulnerabilities allow malicious users to read and/or write files and directories located outside the web root directory by means of the “../” path — https://owasp.org/www-community/attacks/Path_Traversal

Let’s start by uploading an image

From the message at the bottom of the form I gather that the image has been uploaded to the specified location

Let’s see what the response tells us on Burp

It seems that the name of the file is passed to the webapp by means of the “Full name” parameter, so let’s try to tamper with it on Burp Repeater

By changing the form data “fullName” it is possible to change the file name on the system

Path traversal vulnerability exploitation

So by passing a “fullName” parameter starting with ../ we complete the lesson

WebGoat Path Traversal 3

This lesson is very similar to the previous one, let’s upload a file and tamper with the request on Burp Repeater

Trying ../test as “fullNameFix” parameter

It seems that the webapp removes the ../ from the “fullNameFix” parameter, let’s try some part of the path traversal pattern

If “fullNameFix” starts with .. the webapp allows it and the file name keeps the leading ..

If “fullNameFix” starts with ./ the webapp allows it and the file name keeps the leading ./ that identifies the current directory, so the injection is successful but there is no harm done

As expected, by trying …./ the webapp removes the malicious pattern but keeps the .. in front of the file name

Again, the webapp removes all occurrences of the ../ patterns and the file name does not retain anything from this injection

The webapp removes ../ but does not check the parameter recursively so the ../ pattern is removed from ..././ so I get ../ and the exercise is completed