mod0BurpUploadScanner icon indicating copy to clipboard operation
mod0BurpUploadScanner copied to clipboard
verified publisher icon modzero

"Replace filename in requests" disabled but still replaces "filename" content

Open MMquant opened this issue 6 years ago • 0 comments

I'm scanning upload multipart form which blocks requests with svg and php extensions. If such extensions are submitted the server refuses any other upload requests and returns error 500.

svg extension can be disabled in Show file format checkboxes. However there is no checkbox for php.

Potential workaround should be to uncheck the Replace filename in requests but even if unchecked the scanner still changes the filename field ie. in the first 3 requests filename field value in multi-part post is:

filename="SanityCheck.png
filename="ZsJOIm18Colab0Jvz.png"
filename="ZsJOIm18Colab1wBH.png"
....
....
filename="randomname.php"  <----- blocks any subsequent uploads

Any ideas how to fix it?

MMquant avatar Sep 05 '19 10:09 MMquant