[This lab](https://portswigger.net/web-security/file-path-traversal/lab-simple) demonstrates a classic **path traversal vulnerability** in a file fetch endpoint where user input is used unsafely to access files on the server. By modifying the `filename` parameter, you can escape the intended directory and read sensitive files like `/etc/passwd`.
Remember about HTTP history filter where images are hidden by default
![[CleanShot 2025-04-22 at 20.45.08.png]]
##### Step 1: Trigger the Image Request
1. Browse any product page in the lab
2. Observe that product images are loaded via requests like:
![[CleanShot 2025-04-22 at 20.46.21.png]]
---
##### Step 2: Send to Repeater
- Send this request to **Burp Repeater**
- Modify the `filename` parameter:
![[CleanShot 2025-04-22 at 20.30.47.png]]
- You may need to add more `../` depending on the path resolution (but usually 3 is enough)
---
##### Step 3: Send and Observe
✅ If successful, the response will include:
```plaintext
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
```
This is the content of the **`/etc/passwd`** file → **lab solved**