Burp Suite Professional browser-powered crawler file input p...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://hackerone.com/reports/3712279
• Blog Title: Burp Suite Professional browser-powered crawler file input path traversal leading to arbitrary file write and delayed code execution
• Suggested Section: Pentesting Web / Web Vulnerabilities Methodology or a new Burp Suite / Attacking Automated Crawlers section; also cross-reference Windows persistence via Startup folder and generic path traversal/arbitrary file write

🎯 Content Summary

Overview

The report describes a High severity vulnerability in Burp Suite Professional 2026.3.3 on Windows, affecting Burp Scanner's browser-powered crawler. When Burp crawls an attacker-controlled website, a malicious page can abuse Burp's automatic handling of HTML file upload inputs to make Burp create an attacker-controlled local file at an attacker-influenced filesystem path.

The demonstrated impact is a delayed local code execution primitive: the page causes ...

🔧 Technical Details

Abusing automated file input handling in crawlers: Browser automation and crawling systems that auto-fill <input type="file"> fields can become dangerous if they create local upload files from page-controlled metadata. If an application uses attributes such as accept, value, or name to derive a local filename, a malicious page may turn ordinary form crawling into a local filesystem write primitive. In this case, the file input's value becomes the file content and the accept attribute becomes part of the local filename.

Path traversal through extension parsing: Treating any accept token that starts with . as a safe file extension is unsafe. A payload such as ./../../../../target/path/file.bat begins with a dot, so it can pass naive extension validation, but it also contains traversal sequences. If the resulting filename is passed to Path...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-web/file-upload/README.md

Added:

• A new subsection covering auto-handled HTML file inputs in crawlers/browser automation leading to local arbitrary file write
• The path traversal via accept token parsed as an extension pattern
• The Windows Startup folder delayed execution chain
• A concise audit/remediation checklist
• The HackerOne report URL in ## References

Why this file:

• Best fit was File Upload, since the core primitive is unsafe handling of <input type="file"> plus attacker-controlled filename/content generation, not a Burp-specific product page or a Windows-only persistence page.

Validation:

• Reviewed diff and basic file integrity checks passed
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://hackerone.com/reports/3712279

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web / Web Vulnerabilities Methodology or a new Burp Suite / Attacking Automated Crawlers section; also cross-reference Windows persistence via Startup folder and generic path traversal/arbitrary file write".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0