That innocent avatar uploader could be your gateway to the server. Learn to abuse file names, content types, and directory traversal to turn a simple feature into a full-blown compromise.
Press enter or click to view image in full size
Welcome back to the Bug Bounty Bootcamp. You’ve extracted databases, bypassed CSP, and forged requests. Now, we target one of the most common yet dangerous features: file uploads. Profile pictures, document attachments, HTML resumes — every time an application accepts a file, it opens a potential attack surface. A misconfigured uploader can lead to Remote Code Execution (RCE) , Cross-Site Scripting (XSS) , path traversal overwrites, and even blind command injection. This guide will walk you through the complete hunter’s methodology for testing file uploads, from basic extension tricks to advanced blind RCE using out-of-band techniques.
The Attack Surface: More Than Just the File Content
Most testers focus only on the file’s content (e.g., uploading a PHP shell). But a skilled hunter examines every part of the upload request: