blob: fcecf3aeede3cec5005c0d8dc7d7cc1fda0d98bb (
plain)
1
2
3
4
5
6
7
8
9
10
|
## Exploit
1. Pages being fetched with a query parameter `page` (`http://10.0.2.15/?page=somePage`) expose the server to dot-dot-slash attack.
1. We get the flag by requesting `http://10.0.2.15/?page=../../../../../../../etc/passwd`
## Fix
[https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include]()
The problem is letting users directly input file names to be included/read. Such input must be sanitized, with for example a strict list of allowed values, or rejecting input containing `../`.
|
