Collaborate Disseminate
When a crash occurs or when a user reports a bug, I’d like to send my application’s logs to a cloud service (Firebase).
But I’ve just realised that there are tons of kindergarten level exploits. For example:
they can make these logs treme… Continue reading Sending logs with bug reports: how to defend against easy exploits like malicious file enlargement?
On lab.com there is a file upload for blogs posted on it. All files are put in /userfiles/, where no PHP can be executed, it just throws file right out in the browser.
My question is: Can this be somehow bypassed to execute uploaded shell?… Continue reading Bypass File Execution Prevention
I am currently testing a website where users can upload images and they will be uploaded to the sites CDN at cdn.domain.com/1/username/2/filename.png
If you try to upload most file types that aren’t images for example .txt files you are gi… Continue reading Where are these files uploaded to?
I am trying to implement secure file uploads. I need to support various file types, including PDF, XLS, and XSL. I have implemented some basic controls, such as:
Store files outside the web root
Check file extension against whitelist
Gene… Continue reading Should I validate file types on server upload, and how?
In a web application I manage, we have installed an option to let the users to upload files. The files are stored directly in the database. The security department of the company have requested us to limit the files by extension to certain… Continue reading What’s the point in blocking content upload by extension?
I am not a technical person. My company recently asked me to install FileZilla to transfer files to and from a server in my company. So I installed FileZilla and typed in the credentials my company gave.
Then the following message appeared… Continue reading Does an insecure ftp connection compromise all other data transfers?
Say I want to keep some files on cloud for portability but I do not trust the encryption (if there is any) provided by cloud service provider (avoid possibility of backdoor to read my files), so I am thinking to use some virtual drive encr… Continue reading Using virtual drive encryption software with cloud storage
I’m doing a pentest on a website and I’ve managed to gain access to the admin’s page that has file upload functionality to an /uploads/ directory. It will only accept html files, per the upload.php source code.
I’ve tried uploading a simpl… Continue reading Help with bypassing file upload whitelist
I’m performing a pentest on a website running Apache that has an empty /uploads directory. I’ve performed thorough enumeration of all directories and functionality on the website, and there is no clear way to upload anything to this myster… Continue reading Issues with uploading file
Would a file upload function be vulnerable to code execution where the uploaded file is always converted to a PNG file by the application? For example, if one uploads shell.php and this file is converted into somerandomstring.png, can one … Continue reading Possibility of arbitrary file upload where upload converted to png