I've just started in penetration testing with metasploitable and currently trying to learn file upload vulnerability present in DVWA module. I know that somehow upload is preventing files other than images to be uploaded but I don't understand how. I tried to look page source of 'upload file' webpage but I don't see any javascripts working there. Webpage only refers to a script which also doesn't seem to have any filters for file being uploaded. Can someone please explain what exactly in the html or JavaScript of webpage is working as a filter?
Asked
Active
Viewed 94 times
1
-
Why should the filter be in html/javascript? Why can't the filter be in the backend(php)? – nobody Jul 05 '20 at 08:09
-
@nobody Because intercepting the post request and modifying it using the burp suite is allowing any extension to be uploaded. Had filter been at server, modifying request using burp suite shouldn't have worked – Ryuzaki Jul 05 '20 at 11:48