Burp – checking file extension uploads

  1. Create a text file with extension types
    • .php
    • .php3
    • .php4
    • .php5
    • .phtml
  2. Launch Burp
  3. Enable intercept on webpage
  4. Upload any file to page
  5. Send to intruder
  6. Click on Positions tab
  7. Uploaded txt file to payload configuration
  8. Start attack