"Unrestricted File Upload" is one of my favorite group of web application vulnerabilities. This is because if I can locate this type of security error, it usually leads to remote control of the server. If you can upload images, why not try to upload an executable file on the server side of the :).
As the testing process itself is tedious when encountering an unusual security mechanism, and the number of cases to consider is large , it is worth automating the process. With the help of us here comes a great plugin for Burpa – Upload Scanner.
Uploading files to websites is often an underestimated area of security testing.The surface area of these types of attacks is very large.Only a few of the problems that arise attract a lot of attention of fuses (eg.ImageTragick Vulnerability . Besides them, there are countless vulnerabilities that cause, for example, various types of memory errors. Note that while your REST XML network service may not be susceptible to external XML entity injection (XXE), this does not mean that the image parser used for XMP JPEG metadata (i.e. XML) does not have a problem with XXE.
To determine that the file transfer mechanism implemented is secure, you must check it from different angles. Among other things, correlation behavior depends on the file extension, content type, and content itself.Additionally, the file body should undergo server-side modification tests, such as image size requirements or sizing operations.
The main functionalities of the "Upload Scanner" plugin are:
- Investigate server performance for gif, png, jpeg, tiff, pdf, zip, and mp4 files
- Investigate server performance to resize an image
- Investigate server performance to change image colors
- Investigate server performance for exiftool file metadata such as "keywords", "comment", etc.
- Investigate server operation for exploits in PHP, JSP, ASP, XXE, SSRF, XXS, and SSI.
- Investigate server performance for a combination of file extensions and content types.
- Investigate problems through dormant loads, interact with Burp Collaborator, or by re-downloading a file/
- In the default configuration, the extension will attempt to upload about 2,000 files.
Quick shortcut to how to use the extension in standard form:
- Catch the request to upload the file to the server and redirect it to the plug-in:
2. Configure the parser to correctly identify the file address on the server after uploading:
3. Start a scan 🙂
Plugin to find in BApp Storze and githubie – UploadScanner