O'Reilly logo

Mastering Modern Web Penetration Testing by Prakhar Prasad

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

MIME content type verification bypass

Every document or file has a valid MIME type, which is an identifier consisting of two parts, a type and a subtype, separated by a forward slash. Web developers, at times, rely on the MIME type of the uploaded file to verify whether it's a safe file or not. For an image upload application, the allowed MIME types can be image/jpeg, image/gif, and image/png. Now, we can bypass this check by simply changing the MIME type through an intercepting proxy, such as Burp Suite or Tamper Data for Firefox.

Let's consider the following PHP code, which only allows JPG and GIF files by verifying the file's MIME type during the upload process:

<?php
   $filename = $_FILES['image']['name'];
 $tmp=$_FILES['image']['tmp_name']; ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required