I Almost Scrolled Past This URL… Then I Got Curious

How a boring static image path led me to understanding one of bug bounty's sneaky classics — LFI

B-Vain

~2 min read · April 30, 2026 (Updated: April 30, 2026) · Free: Yes

So here's the thing.

You're testing a target. You're clicking around, checking endpoints, running your recon tools… and then you see something like this in the URL:


https://sub.example.com/static/images/anything.png

And your brain goes: *meh. Static image. Nothing here. Move on.*

I get it. I used to think the same way.

But what if I told you that URL could be your entry point?

What Even Is LFI?

LFI stands for Local File Inclusion. In simple terms — it's when a web server is dumb enough to let you read files from its own system through a vulnerable parameter or path.

Think of it like this: the server is supposed to serve you one specific file. But because of bad input validation, you can trick it into serving you any file on its system — including sensitive ones like /etc/passwd.

The Static URL Trick

Here's what most beginners (including old me) miss:

That /static/images/ path? Sometimes the server isn't just serving that file statically. Sometimes it's including it dynamically behind the scenes — and if there's no sanitization, you can escape the intended directory using path traversal.

The classic payload looks like this:


https://sub.example.com/static/images/../../../../../../../etc/passwd

Those `../` sequences are telling the server: go up a directory. And again. And again. Until you're at the root of the filesystem — and then you ask for `/etc/passwd`.

If the server is vulnerable, instead of an image… you get a list of system users. That's LFI.

This Isn't Just Theory

This exact technique was used to find a real LFI bug in Google— discovered by Jafar Abo Nada. A static-looking URL. A few `../` later. A critical finding on one of the biggest targets in bug bounty.

Shoutout to Vivek PS for breaking it down in a way that actually made sense to beginners like me.

So What Do You Do Next Time?

Next time you're on a target and you spot a static image, JS file, or any file being loaded through a path — don't just scroll past it.

Open it in a new tab. Try adding `../../../../../../../etc/passwd` after the base path. Try different depths. Watch how the server responds.

- Does it throw an error? What kind? - Does it return something unexpected? - Does it just hang?

All of that is information.

Quick Checklist

- Spot a static file URL ✅ - Try path traversal with `../` sequences ✅ - Test different traversal depths ✅ - Check for `/etc/passwd`, `/etc/hosts`, `/proc/self/environ` ✅ - Document everything and report responsibly ✅

Final Thought

Bug bounty taught me one thing more than anything else: never assume something is boring just because it looks boring.

The most interesting findings often hide behind the most unassuming URLs.

Stay curious. Stay ethical. Happy hunting. 🎯

Credit:

Jafar Abo Nada (original Google LFI discovery) | Vivek PS (simplification)

Written by [b-vain] — still learning, always sharing.

#bug-bounty #cybersecurity #local-file-inclusion #lfi #bug-hunting

< Go to the original