File upload features are everywhere — profile picture uploads, document attachments, media managers.

Now imagine you upload a file called shell.php. and the system lets it through, even though .php files are supposed to be blocked.

Why? Because of a sneaky trick involving trailing dots and spaces.

On Windows systems, a filename like shell.php. (with a dot at the end) gets saved as shell.php. The trailing dot is silently removed by the operating system. That means the app might think it’s a harmless file — but you just uploaded a real .php script.

In this article, we’ll explore how this bypass works, how to find it, and how to exploit it effectively. Perfect for beginners diving into bug bounty or application pentesting!

Why This Works: The OS is Helping You (as an Attacker)

On Windows (NTFS) file systems:

• A filename like shell.php. is saved as shell.php

shell.jpg becomes shell.jpg

• The trailing dot (.) or space ( )…