Skip to main content

🗂️PortSwigger Lab Writeup: Web Shell Upload via Content-Type Restriction Bypass

PortSwigger lab banner: Web shell upload via Content-Type restriction bypass

🎯 Objective

The objective of this lab is to exploit a file upload vulnerability where the app has a vulnerable image upload function which relies on Content-type header for validation before storing them. The goal is to upload a basic web shell and exfiltrate the contents of file /home/carlos/secret

  • Lab URL: https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-content-type-restriction-bypass
  • Category: File Upload
  • Difficulty: Apprentice

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Blogging website homepage displaying blog posts and navigation menu
    Login page interface with username and password fields
  • At first glance, the website seems to be a blogging website with a login page. In the lab description, it is mentioned that we need to exfiltrate the secret of carlos.

📝Step 2: Upload the payload

  • First login with the given credentials - wiener:peter to access file upload function. Login page with wiener credentials
  • Now, we can see the file upload function where we can upload an avatar of the user. User profile page with file upload form for avatar image
  • Make basic php web shell named payload.php with the given code: 
    <?php echo file_get_contents('/home/carlos/secret'); ?>
  • Now, Upload this payload. File upload dialog showing payload.php file selected for upload Upload rejection message showing Content-Type validation error
  • However, our upload request is rejected by server for wrong file type.
  • Now, Open the HTTP History in Burpsuite and send the POST /my-account/avatar request to Repeater tab. Burp Suite HTTP history showing POST request with Content-Type header
  • Change the value of Content-type header from application/x-php to image/png and sent the request. Burp Repeater with modified Content-Type header changed to image/png
  • Hence, our web shell is successfully uploaded to the server.

🧑‍💼Step 3: Access the Secret

  • Open the uploaded web shell at /files/avatars/payload.php Web shell executing and displaying carlos secret file content
  • Hence, our web shell executed successfully and returned the secret of carlos.
  • Now, Copy and submit it to complete the lab. Lab solved confirmation message after submitting the correct secret
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrated how Content-Type validation alone is insufficient for file upload security. By modifying the MIME type header from application/x-php to image/png, we bypassed the validation and executed arbitrary code.
  • The impact is critical — attackers can bypass client-side and weak server-side file type checks by manipulating HTTP headers.
  • Fix: validate file contents (magic bytes/file signatures) server-side, use allowlists for allowed file types, store uploads outside web root, and disable script execution in upload directories.