webPromedium
Lab 260 — VaultDrop — Path Traversal via Buffer.prototype.utf8Write Monkey-Patching
hackadvisor
Task: Node.js file-sharing platform with workspace automations that run JavaScript in a sandbox; readFile API validates paths via path.resolve() + startsWith(). Solution: Monkey-patched Buffer.prototype.utf8Write to inject a traversal path after path.resolve() normalization, bypassing the startsWith check while the OS resolves ../ components to read /root/flag.txt.
$ ls tags/ techniques/
path_traversalnodejsjavascriptexpressdecoy_flagsandbox_bypassbuffer_prototypemonkey_patchingautomation_sandbox
buffer_utf8write_monkey_patchpath_resolve_bypassstartswith_check_bypassprototype_method_override
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 346 — DropVault — Path Traversal via Tar Symlink Cache Poisoning— hackadvisor
- [web][Pro]Lab 162 — VaultDrop — File Upload Race Condition (TOCTOU)— hackadvisor
- [web][Pro]Lab 202 — WikiVault — AngularJS Client-Side Template Injection (XSS)— hackadvisor
- [web][Pro]Lab 16 — FileGate — Authentication Bypass in API Login— hackadvisor
- [web][Pro]Lab 342 — CloudVault — Stored XSS via Malicious SVG Upload— hackadvisor