From XSS to a Directory Traversal

Hey Guys!! This is my first write up for a bug bounty. So Pardon me if I made any mistakes and also feel fee to express your idea below. The program was private so I cannot expose the name but lets take the target as “www.target.com” . So i started doing some recon and trying to get some XSS and checking out as usual what you do. And for whole 2 weeks I was trying and trying but didn’t found a single thing. I was more onto XSS on that target but ended up with nothing

So I went Offline for some days from the screen and came back on the target. I was on the Chrome DevTools because most of the time I use Chrome DevTools to look Javascript files although its on low tech side but I specially Love the Network Function on the DevTools because you can view the file category types arranged in a order Js,CSS,XHR etc which makes work more easier. If you want to learn more about the usage of chrome DevTools and also javascripts I recommend you to watch TomNomNom & STOKs video below

So I was looking on a Javscript File and I saw the file path of that file and it was a bit weird. The path looks like “https://target.com/contents/theme/_/script/.js file”

So then I copied the file path and went to it and as normal the Javascript file loaded and then I removed .js file from the path and loaded it as “https://target.com/contents/theme/_/script/” then it showed up a blank with no errors such as Forbidden or 404. The I removed the script keyword from the path which the link was like “https://target.com/contents/theme/_/” and loaded..BOOM!!! It Showed up the Directory with all the Files and Folders in the Theme Folder and had some juicy files in that such as Database configs, Backup files etc.

The vulnerability was a Directory Traversal Vulnerability you can read more on here https://cwe.mitre.org/data/definitions/538.html & https://cwe.mitre.org/data/definitions/548.html

What is a Directory Traversal Attack?

A directory traversal attack can be used to access restricted files or directories of a web server. There are many reasons that these vulnerabilities may be created such as the lack of URL and relative path checking, or insufficient handling of a request path or URL. The most common attack vector for directory traversals that we have seen is the use of the string ../. Using this string, attackers are able to access directories that they shouldn’t have access to. It is due to this, that the directory traversal attack may also be called a dot-dot-slash attack or directory climbing. (Credits to https://medium.com/@Vanessa.h)

According to my scenario the attack vector had “/_/” on it where it can be accessible.

Lessons to Learn

Always don’t rely on a single attack vector such as XSS where you may find some other vulnerabilities which is more critical than XSS. And Also relax n Chill don’t get too stressed take a drink or coffee , meet friends enjoy. Always try to think out of the box.

Thank You!!