The issue is that /etc/passwd might be blocked by waf, so try to include modality that will use 'silent' payloads and include different files to confirm the vulnerability.
Also Java tends to not allow path traversal outside the web root, so implement something like /WEB-INF/web.xml or alike method of discovery...
The issue is that /etc/passwd might be blocked by waf, so try to include modality that will use 'silent' payloads and include different files to confirm the vulnerability.
Also Java tends to not allow path traversal outside the web root, so implement something like /WEB-INF/web.xml or alike method of discovery...