My thoughts and a repository for things I find useful

Web Developer @ Gumpo Ltd
Email wil2095@protonmail.com
X / Twitter @wil2095

Directory traversal

PHP

Research

Development

Cyber Security

Sometimes refered to as file path traversal.

I have become fascinated with the techniques attackers may use to discover web server directories and files. Specifically, of course, those directories and files that are not intended to be obvious.

A simple look at robots.txt in the root directory may unearth some resources that aren't meant to be viewed. By virtue of the fact they are listed in the .txt file the website owners don't want search engines indexing them. This is all above board and I've found some interesting and unexpected resources using this technique.

So, I read with interest PortSwigger's page on directory traversal that introduced a terrible bit of coding that I confess I'd never considered. And that's with 25+ years web development under the belt.

<img src="/loadImage?filename=218.png">

The thought of a file essentially pulling in a resource from any client defined resource on the web server terrifies me.

And it does of course lead to this type of activity (UNIX filesystem example):

https://insecure-website.com/loadImage?filename=../../../etc/passwd

With such an easy way to 'guess' at resource names it makes sense that some kind of a dictionary reconnaissance would be fairly straight forward.