[This lab](https://portswigger.net/web-security/file-path-traversal/lab-simple) demonstrates a classic **path traversal vulnerability** in a file fetch endpoint where user input is used unsafely to access files on the server. By modifying the `filename` parameter, you can escape the intended directory and read sensitive files like `/etc/passwd`. Remember about HTTP history filter where images are hidden by default ![[CleanShot 2025-04-22 at 20.45.08.png]] ##### Step 1: Trigger the Image Request 1. Browse any product page in the lab 2. Observe that product images are loaded via requests like: ![[CleanShot 2025-04-22 at 20.46.21.png]] --- ##### Step 2: Send to Repeater - Send this request to **Burp Repeater** - Modify the `filename` parameter: ![[CleanShot 2025-04-22 at 20.30.47.png]] - You may need to add more `../` depending on the path resolution (but usually 3 is enough) --- ##### Step 3: Send and Observe ✅ If successful, the response will include: ```plaintext root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin ... ``` This is the content of the **`/etc/passwd`** file → **lab solved**