About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Shopping for an admin account via path traversal- 152

GitlabPosted 6 Years Ago
  • Path traversal is a way to move up a directory by using the common ../. I usually think of this as a vulnerability associated with handling files.
  • This vulnerability occurs because of two REST API calls talking to eachother. The firsts request has parameter for some ID value. If this ID value is set to ../something then the next REST call will move up a directory in the URL before making the call!
  • Finally, to make this exploitable, the API handler for the second REST call allows for ?parameter=some_value. So, the directory traversal can be used to hit internal APIs (that should not be accessible) with parameters!
  • The example, in the post, can be used to promote any account to admin! The request some_api/(../users/?admin=true) where the ID should be the item in parenthesis gets translated to api/v4/users/?admin=true. This almost acts as an interesting SSRF attack.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed