From 642f809226c9e25c22c3c97ee12dadfda945f17a Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Fri, 27 Mar 2026 15:43:45 +0100
Subject: Add malicious file upload solution

---
 Upload malicious file/Resources/notes.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 Upload malicious file/Resources/notes.md

(limited to 'Upload malicious file/Resources/notes.md')

diff --git a/Upload malicious file/Resources/notes.md b/Upload malicious file/Resources/notes.md
new file mode 100644
index 0000000..98f0a85
--- /dev/null
+++ b/Upload malicious file/Resources/notes.md	
@@ -0,0 +1,13 @@
+## Exploit
+
+1. In the page to upload images there is no input validation of files uploaded by the user beyond checking for the `Content-Type` header.
+1. Upload `yourMom.exe` with `upload.bash`. It will be accepted and the flag printed.
+
+## Fix
+
+- [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files]()
+- [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types?utm_source=chatgpt.com]()
+
+Input validation for file is very complicated but should go beyond only checking the `Content-Type` header, for example the file extension, or the file content (magic pattern, content pattern etc). Here is a more complete [cheatsheet for file upload from OWASP](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html).
+
+Even legitimate files might have malicious content!
-- 
cgit v1.2.3