How to exploit pathtraversal vulnerability? \ stacker news ~security

I am pentesting an http server using jetty, where I have access to the code. Thi is one of the urls I am looking at: get/services/test.js

Code below 👇

    @GET
    @Path("services/{script:.+[.]js}")
    @Produces(MediaType.TEXT_PLAIN)
public Response servicesScript(@PathParam("script") String script) {
        try {
            if(script.lastIndexOf("/") != -1)
                return Response.status(Response.Status.NOT_FOUND).build();

    final InputStream scriptInputStream = getClass().getClassLoader().getResourceAsStream("script/" + script);

    if(scriptInputStream != null) {
        return Response.ok(CharStreams.toString(new InputStreamReader(
                scriptInputStream, Charsets.UTF_8))).build();
    } else {
        return Response.status(Response.Status.NOT_FOUND).build();
    }
} catch (IOException e) {
    throw new MxConsoleException("Invalid js requested: " + script, e);
}
}

It seems that it is checking if the script name includes "/" , I tried to url-encode this "/" and see if I can read /etc/passwd, but I couldn't. Same if I do double encoding. These are the crafted urls I tried:

GET /1/services/..%252f..%252f..%252f..%252f..etc%252fpasswd HTTP/1.1

GET /1/services/..%2f..%2f..%2f..%2f..etc%2fpasswd HTTP/1.1

Can anyone help me bypass this? Found no CVEs either

0 sats \ 2 replies \ @ek 30 Apr

I think nobody replied because it's too hard to help you when you just give us a snippet of code and don't even explain why it didn't work, like what error did you get? And why do you think there must be a path traversal vulnerability in there? Also, if you have the code, can't you just run the code and debug it?

Anyway, I recommend reading this.

0 sats \ 1 reply \ @istealkids OP 1 May

that link was intentional i suppose -_- btw i made the edits here https://github.com/stackernews/stacker.news/issues/2144

0 sats \ 0 replies \ @ek 1 May

Yes, because I want to help you