- Create a text file with extension types
- .php
- .php3
- .php4
- .php5
- .phtml
- Launch Burp
- Enable intercept on webpage
- Upload any file to page
- Send to intruder
- Click on Positions tab
- Uploaded txt file to payload configuration
- Start attack
Burp – checking file extension uploads
