April 30, 2026
I Almost Scrolled Past This URL… Then I Got Curious
How a boring static image path led me to understanding one of bug bounty’s sneaky classics — LFI
By Vrajbhai
1 min read
So here's the thing.
You're testing a target. You're clicking around, checking endpoints, running your recon tools… and then you see something like this in the URL:
https://sub.example.com/static/images/anything.png
https://sub.example.com/static/images/anything.png
And your brain goes: meh. Static image. Nothing here. Move on.
I get it. I used to think the same way.
But what if I told you that URL could be your entry point?
What Even Is LFI?
LFI stands for Local File Inclusion. In simple terms — it's when a web server is dumb enough to let you read files from its own system through a vulnerable parameter or path.
Think of it like this: the server is supposed to serve you one specific file. But because of bad input validation, you can trick it into serving you any file on its system — including sensitive ones like /etc/passwd.
The Static URL Trick
Here's what most beginners (including old me) miss:
That /static/images/ path? Sometimes the server isn't just serving that file statically. Sometimes it's including it dynamically behind the scenes — and if there's no sanitization, you can escape the intended directory using path traversal.
The classic payload looks like this:
https://sub.example.com/static/images/../../../../../../../etc/passwd
https://sub.example.com/static/images/../../../../../../../etc/passwd
Those ../ sequences are telling the server: go up a directory. And again. And again. Until you're at the root of the filesystem — and then you ask for /etc/passwd.
If the server is vulnerable, instead of an image… you get a list of system users. That's LFI.
This Isn't Just Theory
This exact technique was used to find a real LFI bug in Google— discovered by Jafar Abo Nada. A static-looking URL. A few ../ later. A critical finding on one of the biggest targets in bug bounty.
Shoutout to Vivek PS for breaking it down in a way that actually made sense to beginners like me.
So What Do You Do Next Time?
Next time you're on a target and you spot a static image, JS file, or any file being loaded through a path — don't just scroll past it.
Open it in a new tab. Try adding ../../../../../../../etc/passwd after the base path. Try different depths. Watch how the server responds.
- Does it throw an error? What kind?
- Does it return something unexpected?
- Does it just hang?
All of that is information.
Quick Checklist
- Spot a static file URL ✅
- Try path traversal with
../sequences ✅ - Test different traversal depths ✅
- Check for
/etc/passwd,/etc/hosts,/proc/self/environ✅ - Document everything and report responsibly ✅
Final Thought
Bug bounty taught me one thing more than anything else: never assume something is boring just because it looks boring.
The most interesting findings often hide behind the most unassuming URLs.
Stay curious. Stay ethical. Happy hunting. 🎯
Credit:
Jafar Abo Nada (original Google LFI discovery) | Vivek PS (simplification)
Written by [b-vain] — still learning, always sharing.