What is missing or needs to be updated?
- This cheat sheet already has a couple of extension bypass examples (double extensions, null bytes) ,but a few common ones aren't mentioned.
- case manipulation in ext.
- alternative extensions tied to the same interpreter.
- The sheet doesn't currently mention that an attacker can upload a web server config file (like .htaccess or web.config) into the upload folder . The existing advice to store files outside the webroot already covers this, so it would just be a short note tying the two together near "File Storage Location".
How should this be resolved?
- extension bullet points :
- Case manipulation, e.g. .pHp , .PHP5 , to bypass case-sensitive blocklist filters
- Alternative extensions tied to the same interpreter eg. .phtml , .phar , .pht for PHP , or .jsp/.jspx , .asp/.aspx for Java/.NET
- And add one short sentence under "File Storage Location" noting that
server config files (.htaccess, web.config) can be uploaded to change
how a directory is handled , with the existing "store outside the
webroot" point .
Happy to send a pr if this is not already covered yet.
What is missing or needs to be updated?
How should this be resolved?
server config files (.htaccess, web.config) can be uploaded to change
how a directory is handled , with the existing "store outside the
webroot" point .
Happy to send a pr if this is not already covered yet.