O'Reilly logo

Python Web Penetration Testing Cookbook by Dave Mound, Benjamin May, Andrew Mabbitt, Terry Ip, Cameron Buchanan

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Automated URL-based Directory Traversal

Occasionally, websites call files using unrestricted functions; this can allow the fabled Directory Traversal or Direct Object Reference (DOR). In this attack, a user can call arbitrary files within the context of the website by using a vulnerable parameter. There are two ways this can be manipulated: firstly, by providing an absolute link such as /etc/passwd, which states from the root directory browse to the etc directory and open the passwd file, and secondly, relative links that travel up directories in order to reach the root directory and travel to the intended file.

We will be creating a script that attempts to open a file that is always present on a Linux machine, the aforementioned /etc/passwd

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required