XSS injection / directory traversal query


New member
I've been playing around with a few bits and pieces, reading over various vulnerabilities and had a bit of a play with directory traversal. It's not massively successful but I came across an example like the following


which would render faq.txt within the page. Obviously you could then use directory traversal via the doc parameter. When I tried it I seemed to have a lot more success than with simple URL based ../

Is that because the request runs with a different set of permissions, or am I barking up the wrong tree?

The reason I ask is that I've found a JS injection vulnerability on a site I go to but it's only on the attackers private profile, so not exposed to other users or admin. I think it's still an issue but the owners don't seem to think so.

(warning: run-on sentence incoming)

What I was wondering was, could I use XSS injection to set up a frame or something on the profile page that would display text files in the same manner as the first URL, and then use that as the basis for a directory traversal attack with greater access permissions than just by modifying the URL? If I can show that I can pull files from the server at will it might be taken a little more seriously.

I'm probably barking up completely the wrong tree here but thought I'd ask. :)