This lesson request is to retrieve a file called “path-traversal-secret.jpg” on the system
Let’s click “Show random cat picture” to get request and response on Burp
The /random-picture endpoint returns lots of data and soon after the image on the webpage changes, so I went on to see what the button is actually doing
From Firefox dev tools I can see that the button calls a newRandomPicture() js function
in Firefox dev tools -> Debugger -> Souces tab it’s possible to search for a pattern in all files from the current page by pressing CTRL+SHIFT+F
And something popped up in the search results
It is curious to notice that the source is not present in any of the files listed on the left-hand side panel of the Debugger -> Source tab, but nevertheless the search finds it present on the page
The source has a newRandomPicture() function which does a GET request to
/PathTraversal/random-picturewhich returns lots of data, subsequently it changes the “src” attribute of the “randomCatPicture” html img tag to
data:image/png;base64,and concatenates it with whatever data is returned in the data section of the response, thus creating an image from the data stream, hence the data in the response is a file stored somewhere
So I pressed the random button once again and got the request and response on Burp Repeater
Highlighted in red in the response there is a
/PathTraversal/random-picture?id=5.jpgLocation header parameter, the “id=5.jpg” query string looks just like a jpg image filename
So why not requesting that same Location header path with its query string?
From the response I see that
- the file name has been changed, in the response it has an extra “.jpg” added at the end
- There is something that looks like a directory listing as data response
The same happens if the “id” parameter is left empty
But when trying to see what’s in the parent directory, the webapp responds that it does not allow “Illegal characters” in query parameters
So by URL-encoding “../” to see what happens, the webapp returned the listing for the /PathTraversal directory
After going through all the directories, I the went back another directory level to see the listing of /home/webgoat/.webgoat-8.1.0/ and there I could find the requested file
By adding the filename without “.jpg”, since the webapp was adding that automatically, the webapp returns the way to get the solution for this lesson
In order to get the SHA-512 of your username in most linux distro yon can use this command
echo -n 'username' | sha512sumIt is important to add the -n to avoid hashing the “newline” character as well
If you want to know more about the “echo” command, check this page
or type “man echo” on your linux shell
This concludes WebGoat Path Traversal 5
I hope you liked it
PVXs — https://twitter.com/pivixih
