Automating Client-Side Path Traversals Discovery
A few months ago, I returned to the bug bounty world and stumbled upon a gadget that caught my attention: Client-Side Path Traversals (CSPT). I might have been out of the loop because, despite its age (2007), I wasn’t familiar with it. In fact, I rarely focused on client-side bugs in the past, but shifting my attention to them has recently brought me some great bounties.
After a conversation with Keith, he encouraged me to start sharing what I’ve been working on. Automating CSPT discoveries is one of those things. To be honest, I had automated this before with Rhynorater, but we kept it as exclusive content for Critical Thinkers subscribers (which I highly recommend if you want to elevate your hunting skills, especially for client-side vulnerabilities). I’ve now rewritten and improved the automation from scratch, and I’m excited to share it with you.
Let’s start with the example of a profile page. The web server may respond with the same static profile.html for every user, but it also receives an id parameter in the query. The page’s JavaScript uses this value to fetch the user’s information from the API and then render it. I’ve encountered this example multiple times, and it’s a widely used strategy.
.jpg)
