File Upload Scanner

The File Upload Scanner — upload MCP tool — is a focused scanner for upload endpoints. It tests 16 extension variants, 6 content-type mismatches, double extensions, null byte injection, and polyglot file generation to find filter bypasses on upload functionality.

The built-in scanner has an active File Upload check; this dedicated scanner is the deeper, single-endpoint version with more variants and better PoC artifact generation.

🔗What It Tests

🔗Extension Variants (16)

For a baseline safe.txt upload:

Direct dangerous: safe.php, safe.jsp, safe.asp, safe.aspx, safe.phtml, safe.phar, safe.cer
Case manipulation: safe.PhP, safe.PHP
Double extension: safe.txt.php, safe.php.txt
Trailing dot: safe.php.
URL encoding: safe%2Ephp, safe%00.php
Spaces / null bytes in name: safe .php, safe%20.php
Alternate dangerous: safe.htaccess, safe.config, safe.shtml

For each variant, the scanner uploads, then attempts to access the uploaded file via the same path the legitimate file would be accessed from, and checks if the server interprets it as code.

🔗Content-Type Mismatches (6)

For each extension, vary the Content-Type header sent in the multipart body:

image/png
image/jpeg
image/gif
text/plain
application/octet-stream
(none — omit the header)

Detects servers that filter on extension OR content-type but not both.

🔗Magic Byte Polyglots

Generates files with valid file-format magic bytes prepended to malicious content:

GIF89a + PHP — valid GIF that’s also valid PHP (GIF89a;<?php ... ?>)
JPEG + PHP — JFIF marker + EXIF comment containing PHP
PNG + PHP — IHDR chunk + iTXt chunk with PHP
PDF + JavaScript — %PDF-1.4 header + embedded JS
ZIP + JS (polyglot ZIP/JS for Office macros)

The scanner uploads each polyglot, attempts to execute / view the result, and checks for code execution markers.

🔗Path Traversal in Filename

Tests filenames containing path traversal sequences:

../shell.php
..\\..\\shell.php
%2e%2e%2fshell.php
....//shell.php

Detects servers that don’t sanitise upload paths.

🔗Running a Scan

Capture an upload request through the proxy (POST multipart/form-data)
Right-click the captured upload → Send to Upload Scanner
Configure target URL, file field name, expected response on success
Start
Watch results table populate

The scanner needs to know:

Where the uploaded file ends up (URL pattern). It uses heuristics — /uploads/<filename>, /files/<id>, etc. — but you can override with a custom Access URL Pattern that uses {{filename}}.
What success looks like (HTTP 200 + body contains pattern, or a redirect).

🔗Findings

Each successful bypass auto-creates a finding:

Severity Critical (RCE via uploaded shell)
Severity High (uploaded restricted file type that’s interpreted)
Severity Medium (filter bypass without proven execution)
CWE-434 (Unrestricted Upload of File with Dangerous Type)
Evidence: upload request + response, fetch request + response showing executed content
PoC reproducer command (cURL one-liner)

🔗Polyglot Generation

The Generate Polyglot action creates polyglot files on demand without uploading. Useful for manual testing or hosting via the Files view.

upload action:"generate_polyglot" base_format:"png" payload_lang:"php"

Returns the polyglot bytes ready to save / use.

🔗Tips

Authenticate first. Most upload endpoints require auth — capture from an authenticated browser session and the scanner inherits cookies/headers.
Watch for AV / sandboxing. Some servers analyse uploads with antivirus or sandbox them. The Polyglot section is designed to evade naive AV signatures, but expect false negatives on properly defended endpoints.
Combine with Param Discover. Sometimes the upload accepts a hidden path parameter that controls where the file lands — discover those params first, then test upload variants.

🔗MCP

The upload MCP tool exposes:

scan — full upload scan with all variants
techniques — list available techniques (with descriptions)
generate_polyglot — produce a polyglot file artifact