A while ago I have written a post on “Unrestricted File Upload” by exploiting that bug I was able to upload any extension file, even blacklisted to the server.

After spending some time, I decided to test for Cross-Site Scripting(XSS) using that file upload. So while I was uploading files to the server, I intercepted that request with Burp and changed that filename to XSS payload but I failed.

After some time, I uploaded a file to the server and it returned the ‘XML error page’ so at that point I thought the backend server will run XML, so I…

Binamra Pandey

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store