Webgoat - Path traversal

Webgoat – Path traversal

In this walk through, we will be going through the Path traversal vulnerability section from Webgoat Labs. We will be exploring and exploiting Path traversal and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Path traversal

1. Path traversal while uploading files

  • In this assignment, the goal is to overwrite a specific file on the file system. We need to upload your file to the following location outside the usual upload location.

Path traversal while uploading files

Preview image

  • I used he below payload to upload a file to another directory.




2. Path traversal while uploading files again

Path traversal while uploading files again

  • Bypasses the mitigation with the below payload.




3. Path traversal while uploading files again +1

  • In this challenge, the developer is now using the uploaded file name instead of asking file name from user.

Path traversal while uploading files again +1

Profile updated

  • I intercepted the request and used the below payload to successfully write the file to other location.

Burpsuite intercept



Path traversal successful


4. Retrieving other files with a path traversal

  • In this challenge, we have to retrieve contents of path-traversal-secret.jpg file. The application has a button which shows random images of cat upon clicking.

Retrieving other files with a path traversal

  • I intercepted the request via Burpsuite and analyzed the response. In the response, we can see location header which is using the id parameter to query the DB for the cat images.

Burpsuite intercept

Burpsuite Response

  • I used the parameter in my GET request path with ls command and seems likes it is injectable.



  • Next, i URL encoded the payload and used it with our id parameter and got a directory listing of parent directories where we can see our target file.





  • As i was unable to retrieve the secret from the path-traversal-secret.jpg file. So, i simply removed the extension and got a hit. The clue was that the secret is sha512 hash of our username.



Answer found

  • Calculate the hash of our username and completed the challenge.

echo -n 'kratos' | sha512sum
9710fd696c471dcac50bec100993d775ab323f37110f90b02be98347503542d17788acd46f5d536211657e03df7dbad0dd2f35d6a11d39c0835e7791cf705225  -

SHA512 hash

Secret submitted

5. Zip Slip assignment (Not finished)

Zip Slip assignment (Not finished)

Burpsuite intercept

Zip error

Also Read: Mutillidae – XML External Entity Injection (XML Validator)



So, we finally completed the Webgoat Path traversal restrictions Vulnerability section. Next, we can mitigate the potential Path traversal attacks by validating the input against a known set of whitelisted values. Along with that, the input should then be added to a platform filesystem API to canonicalize the path which will then verify that the canonicalized path starts with the expected base directory . On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top