Skip to content

Burp Suite Professional browser-powered crawler file input p... #2377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+48 −0
Open

Burp Suite Professional browser-powered crawler file input p... #2377

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions src/pentesting-web/file-upload/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,53 @@ Content-Type: text/xml
- Bindings are often localhost-only; pair with a full-read SSRF (absolute-URL request line, Host header ignored) to reach `127.0.0.1` if the Axis2 port isn’t exposed.
- After writing, browse to `/trufusionPortal/jsp/shell.jsp?cmd=id` to execute.


### Auto-handled HTML file inputs in crawlers / browser automation → local arbitrary file write

Some **browser-powered crawlers** and automation frameworks try to interact with discovered `<input type="file">` elements by **creating a local temporary file** and automatically selecting it in the browser. If the local filename is derived from **page-controlled metadata** such as `accept`, `name`, or `value`, the target website can turn ordinary crawling into a **local arbitrary file write**.

Typical vulnerable flow:

1. The crawler discovers a file input and decides to auto-populate it.
2. It derives a **local filename** from attacker-controlled HTML attributes.
3. It writes attacker-controlled bytes to that path.
4. It calls a browser API such as `selectFile()` on the generated path.

If the implementation accepts any `accept` token starting with `.` as a harmless extension, a payload like `./../../../../target/path/payload.bat` may bypass the check while still carrying **path traversal**. When this string is later passed to `Path.resolve()` / `Path.Combine()` without canonicalization and a **"must stay under temp dir"** check, the final write can escape the temporary directory.

Minimal malicious form:

```html
<form action="/upload" method="post" enctype="multipart/form-data">
<input type="file" name="upload"
value="calc.exe"
accept="./../../../../Roaming/Microsoft/Windows/Start Menu/Programs/Startup/burp_calc.bat">
</form>
```

In that pattern:

- `value` becomes the **local file content** (`calc.exe` in the example).
- `accept` becomes part of the **local filename/path**.
- The result is an **attacker-controlled text file write** anywhere writable if the parent directory already exists.

A practical Windows chain is to target the current user's **Startup** folder so the dropped `.bat` executes on the next logon:

```text
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\burp_calc.bat
```

This is not limited to Burp. Apply the same review to **headless browsers**, **web security scanners**, **test automation**, **RPA bots**, and any tool that processes hostile pages while trying to be "helpful" with file uploads.

Quick audit checklist:

- Never reuse HTML attributes as filesystem paths.
- Reject `/`, `\\`, `..`, drive letters, UNC prefixes, and absolute paths.
- Generate the temp filename server-side/tool-side.
- Canonicalize the final path and verify it still starts with the intended base directory before writing.
- Treat any auto-filled file input as a potential **local file write sink**, not just a browser interaction.


## Tools

- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
Expand Down Expand Up @@ -598,5 +645,6 @@ Backend copies `file.filepath`, so the response returns that path’s content. C
- [Microsoft – mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
- [0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html)
- [When Audits Fail: From Pre-Auth SSRF to RCE in TRUfusion Enterprise](https://www.rcesecurity.com/2026/02/when-audits-fail-from-pre-auth-ssrf-to-rce-in-trufusion-enterprise/)
- [HackerOne report 3712279 – Burp Suite Professional browser-powered crawler file input path traversal leading to arbitrary file write and delayed code execution](https://hackerone.com/reports/3712279)

{{#include ../../banners/hacktricks-training.md}}