diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md
index 1ce102580d5..e028512859e 100644
--- a/src/pentesting-web/file-upload/README.md
+++ b/src/pentesting-web/file-upload/README.md
@@ -328,6 +328,53 @@ Content-Type: text/xml
- Bindings are often localhost-only; pair with a full-read SSRF (absolute-URL request line, Host header ignored) to reach `127.0.0.1` if the Axis2 port isn’t exposed.
- After writing, browse to `/trufusionPortal/jsp/shell.jsp?cmd=id` to execute.
+
+### Auto-handled HTML file inputs in crawlers / browser automation → local arbitrary file write
+
+Some **browser-powered crawlers** and automation frameworks try to interact with discovered `` elements by **creating a local temporary file** and automatically selecting it in the browser. If the local filename is derived from **page-controlled metadata** such as `accept`, `name`, or `value`, the target website can turn ordinary crawling into a **local arbitrary file write**.
+
+Typical vulnerable flow:
+
+1. The crawler discovers a file input and decides to auto-populate it.
+2. It derives a **local filename** from attacker-controlled HTML attributes.
+3. It writes attacker-controlled bytes to that path.
+4. It calls a browser API such as `selectFile()` on the generated path.
+
+If the implementation accepts any `accept` token starting with `.` as a harmless extension, a payload like `./../../../../target/path/payload.bat` may bypass the check while still carrying **path traversal**. When this string is later passed to `Path.resolve()` / `Path.Combine()` without canonicalization and a **"must stay under temp dir"** check, the final write can escape the temporary directory.
+
+Minimal malicious form:
+
+```html
+
+```
+
+In that pattern:
+
+- `value` becomes the **local file content** (`calc.exe` in the example).
+- `accept` becomes part of the **local filename/path**.
+- The result is an **attacker-controlled text file write** anywhere writable if the parent directory already exists.
+
+A practical Windows chain is to target the current user's **Startup** folder so the dropped `.bat` executes on the next logon:
+
+```text
+C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\burp_calc.bat
+```
+
+This is not limited to Burp. Apply the same review to **headless browsers**, **web security scanners**, **test automation**, **RPA bots**, and any tool that processes hostile pages while trying to be "helpful" with file uploads.
+
+Quick audit checklist:
+
+- Never reuse HTML attributes as filesystem paths.
+- Reject `/`, `\\`, `..`, drive letters, UNC prefixes, and absolute paths.
+- Generate the temp filename server-side/tool-side.
+- Canonicalize the final path and verify it still starts with the intended base directory before writing.
+- Treat any auto-filled file input as a potential **local file write sink**, not just a browser interaction.
+
+
## Tools
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
@@ -598,5 +645,6 @@ Backend copies `file.filepath`, so the response returns that path’s content. C
- [Microsoft – mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
- [0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html)
- [When Audits Fail: From Pre-Auth SSRF to RCE in TRUfusion Enterprise](https://www.rcesecurity.com/2026/02/when-audits-fail-from-pre-auth-ssrf-to-rce-in-trufusion-enterprise/)
+- [HackerOne report 3712279 – Burp Suite Professional browser-powered crawler file input path traversal leading to arbitrary file write and delayed code execution](https://hackerone.com/reports/3712279)
{{#include ../../banners/hacktricks-training.md}}