This plugin will try to expoit insecure file upload forms. One configurable parameter exists:
The extensions parameter is a comma separated list of extensions that this plugin will try to upload. Many web applications verify the extension of the file being uploaded, if special extensions are required, they can be added here. Some web applications check the contents of the files being uploaded to see if they are really what their extension is telling. To bypass this check, this plugin uses file templates located at “plugins/audit/file_upload/”, this templates are valid files for each extension that have a section (the comment field in a gif file for example ) that can be replaced by scripting code ( PHP, ASP, etc ). After uploading the file, this plugin will try to find it on common directories like “upload” and “files” on every know directory. If the file is found, a vulnerability exists.
|extensions||list||[‘gif’, ‘html’, ‘bmp’, ‘jpg’, ‘png’, ‘txt’]||Extensions that w3af will try to upload through the form.||When finding a form with a file upload, this plugin will try to upload a set of files with the extensions specified here.|
This plugin has no dependencies.