Bypassing file upload restrictions

Never trust the user input! Introduction Uploaded files can pose a significant risk to web applications which means the security side of file upload forms must be at the maximum level. During penetration testing engagements, you may have seen unrestricted file uploads which can quickly grant you RCE, but it’s not always that easy. In some cases you have to bypass certain restrictions and trick the target application into uploading your malicious shell....

August 4, 2021 · 4 min · Lazar

Simple Code Analysis

In today’s blog post I’ll be doing a simple source code analysis of vulnerable web blog made by PentesterLab. It’s a basic PHP web app for learning white box testing, meaning that we have access to all of source code. Analysis The first thing I’ll be looking into is index.php file: <?php $site = "PentesterLab vulnerable blog"; require "header.php"; $posts = Post::all(); ?><div class="block" id="block-text"> <div class="secondary-navigation"> <div class="content"> <?php foreach ($posts as $post) { echo $post->render(); } ?...

July 29, 2021 · 8 min · Lazar