Fuzzing File Uploads With Burp Intruder
Apps and websites often need to allow users to upload files for various reasons. Sometimes users need to upload arbitrary files, such as on file bin services like S3, but most of the time, a service is expecting a specific type of file. Your bank might want a photo of your passport for KYC purposes, TikTok expects a video and so on. Unrestricted file uploads create risks for web applications, including complete system takeover, forwarding attacks to back-end systems or client-side attacks. Uploaded files can cause serious problems.
In cases where a service is expecting a specific kind of file, it is best to validate a file’s magic bytes against the expected file types.
File formats sometimes specify a few bytes to be at the start of each file. This allows programs to recognize them. For example, Windows PE executables (
.exe files) start with the byte sequence
4D 5A (
To prevent malicious files from being uploaded, web applications should check the first few bytes of a file against expected file types. There is a list of magic bytes for common file types on Wikipedia.
These magic bytes make it possible to test allowed file types quickly by generating synthetic files that contain the file header corresponding to different types. I’d created a tool, HTTPFuzz that could do this, but I’d prefer to stay in Burp Suite instead of having to switch to a CLI window. I created the File Generator extension to make this possible.
Installing File Fuzzer
File Fuzzer can be installed manually through the Extender tab in Burp Suite. It’s not on the BApp Store yet because I want to test it more, but I use it without issues on web penetration tests.
The File Fuzzer JAR is on GitHub. It’s best to download the latest release, which at the time of writing is
0.0.2-alpha. Simply install it through the Burp Extender tab.
Using File Fuzzer to Test File Uploads
Burp File Fuzzer will generate synthetic files of different types. It provides three payload generators: one that generates files, one that generates MIME types and one that generates filenames.
It should be used in Pitchfork mode with injection points placed on the file and filename. This will cause Burp File Fuzzer to generate synthetic files and appropriate filenames and MIME types.
Set the payload set according to the position of your filename and file contents. The filename will usually be first in multipart requests.
Payloads for filenames, MIME types and synthetic files should be extension generated by Filename Generator, File MIME Type Generator and File Generator respectively.
For best results, disable URL encoding for filenames and MIME types to prevent the
. in filenames and
/ in MIME types from being URL encoded.
After you’ve configured an attack, simply start the attack and Burp Intruder will generate payloads, filenames and MIME types if needed. I’ll be adding more types over time, but you can add support for additional file types by adding them to
fileHeaders in FileTypes.kt.
File Generator will add a tab to Burp’s UI that allows you to set the payload size and base filename for uploaded files. If you don’t set a size, it’ll default to 1024 bytes (1 KB).
Get File Fuzzer
File Fuzzer is open source and the code is on GitHub. You can get a pre-built JAR on the releases page. It’s currently in alpha, but I’ll add it to the BApp Store once it’s been tested by more people. I use this extension to make my life easier on web pentests.