Fuzzing an upload form to identify which extensions are not blocked

This is the process I use to see which extensions may be blocked for upload forms.

This process uses Burp Suite


Create a wordlist with extensions

Launch Burp and make sure it is set to intercept all browser traffic

Next upload a file to the form. Any file works for this

Send to Intruder

Click on the Positions and select the Sniper option

Find the filename and Add the Add button next to it. This positions where you are going to attack

Click Payloads,  add the file that you created with the extensions

Start Attack